Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Duplicate
-
3.6.1, 3.6.2
-
None
-
None
-
None
Description
Hello everyone,
I work for a product which uses apache/zookeeper 3.6.1. We scanned our product with a security scanner which reported CVE-2019-17571.
After analysis we found that this vulnerability is coming from zookeeper 3.6.1 because of direct dependency on log4j 1.2.17.
Statement regarding 1.x version of log4j from official site:
A security vulnerability, CVE-2019-17571 has been identified against Log4j 1. Log4j includes a SocketServer that accepts serialized log events and deserializes them without verifying whether the objects are allowed or not. This can provide an attack vector that can be expoited. Since Log4j 1 is no longer maintained this issue will not be fixed. Users are urged to upgrade to Log4j 2.x
Could you please share your rationale on not upgrading log4j to 2.x
Attachments
Issue Links
- duplicates
-
ZOOKEEPER-3677 owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer
- Closed