[
https://issues.apache.org/jira/browse/SAMZA-2683?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Daniel Chen resolved SAMZA-2683.
--------------------------------
Resolution: Fixed
closed inĀ https://github.com/apache/samza/pull/1527
> Bump up Scalatra version to pull latest dependencies
> ----------------------------------------------------
>
> Key: SAMZA-2683
> URL: https://issues.apache.org/jira/browse/SAMZA-2683
> Project: Samza
> Issue Type: Improvement
> Affects Versions: 1.6
> Reporter: Daniel Chen
> Assignee: Daniel Chen
> Priority: Major
> Fix For: 1.7
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> Scalatra 2.5.0 is pulling in outdated libraries, namely log4j:1.2.14 which
> possesses security concerns:
> "Included in Log4j 1.2 is a SocketServer class that is vulnerable to
> deserialization of untrusted data which can be exploited to remotely execute
> arbitrary code when combined with a deserialization gadget when listening to
> untrusted network traffic for log data. This affects Log4j versions up to 1.2
> up to 1.2.17. Users are advised to migrate to
> `org.apache.logging.log4j:log4j-core` remediation: No fix is known for this
> vulnerability"
> The latest Scalatra 2.7.1 version no longer depends on this dangerous library
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
