[
https://issues.apache.org/jira/browse/SSHD-1248?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17499855#comment-17499855
]
Putra Nugraha commented on SSHD-1248:
-------------------------------------
Hi [~twolf] ,
Sorry I deleted the comment as I found out a minute later that it is not from
Mina SSHD as you mentioned. The Log4J dependencies came from the
spring-boot-starter-parent which mentioned in this article
[https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot.|https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot]
Thank you very much for the prompt and great supports, really sorry once again
for the invalid information and inconvenience caused.
> Log4J2 Security Vulneralibility ( CVE-2021-44832 )
> --------------------------------------------------
>
> Key: SSHD-1248
> URL: https://issues.apache.org/jira/browse/SSHD-1248
> Project: MINA SSHD
> Issue Type: Question
> Affects Versions: 2.8.0
> Reporter: Putra Nugraha
> Priority: Major
> Attachments: effective-pom.xml, image-2022-02-28-15-06-13-418.png
>
>
> Upon checking a possible security vulnerabilities, I noticed MINA SSHD is
> using Log4J2 version 2.14.1 and Log4J2 made some fixes in the later version (
> 2.17.1 for Java 8 ) which one if it is related to security vulnerabilities to
> RCE.
>
> May I know if there is any plan on MINA SSHD to adapt the above fix? Or can
> we please have this fixed if not planned?
>
> Further details on the above Log4J security vulnerabilities can be found here
> https://logging.apache.org/log4j/2.x/security.html
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@mina.apache.org
For additional commands, e-mail: dev-h...@mina.apache.org
