[
https://issues.apache.org/jira/browse/QPIDJMS-503?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17108425#comment-17108425
]
ASF subversion and git services commented on QPIDJMS-503:
---------------------------------------------------------
Commit 2f547a288ead1f9ce32481a8a4e07aacceae2c11 in qpid-jms's branch
refs/heads/master from Alex Rudyy
[ https://gitbox.apache.org/repos/asf?p=qpid-jms.git;h=2f547a2 ]
QPIDJMS-503: Upgrade to log4j2
> Upgrade log4j dependecy to log4j2
> ---------------------------------
>
> Key: QPIDJMS-503
> URL: https://issues.apache.org/jira/browse/QPIDJMS-503
> Project: Qpid JMS
> Issue Type: Task
> Components: qpid-jms-client
> Reporter: Alex Rudyy
> Priority: Major
>
> The log4j 1.x reached EOL on August 5, 2015 as per
> [http://logging.apache.org/log4j/1.2/]. The client is distributes with an
> optional dependency log4j 1.2.17. There is
> [CVE-2019-17571|https://nvd.nist.gov/vuln/detail/CVE-2019-17571] raised
> against this version for class SocketServer that is vulnerable to
> deserialization of untrusted data. Though, no log4j configuration in the Qpid
> JMS client uses SocketServer, the open source scanning tools flag the JMS
> client bundle as being impacted by CVE-2019-17571.
> In order to silence such open source scanning tools the log4j dependencies
> can be upgraded to log4j2.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
