[ https://issues.apache.org/jira/browse/QPIDJMS-503?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robbie Gemmell updated QPIDJMS-503: ----------------------------------- Affects Version/s: 0.51.0 > Upgrade examples log4j dependency to log4j2 > ------------------------------------------- > > Key: QPIDJMS-503 > URL: https://issues.apache.org/jira/browse/QPIDJMS-503 > Project: Qpid JMS > Issue Type: Task > Components: qpid-jms-client > Affects Versions: 0.51.0 > Reporter: Alex Rudyy > Priority: Major > Fix For: 0.52.0 > > > The log4j 1.x reached EOL on August 5, 2015 as per > [http://logging.apache.org/log4j/1.2/]. The client is distributes with an > optional dependency log4j 1.2.17. There is > [CVE-2019-17571|https://nvd.nist.gov/vuln/detail/CVE-2019-17571] raised > against this version for class SocketServer that is vulnerable to > deserialization of untrusted data. Though, no log4j configuration in the Qpid > JMS client uses SocketServer, the open source scanning tools flag the JMS > client bundle as being impacted by CVE-2019-17571. > In order to silence such open source scanning tools the log4j dependencies > can be upgraded to log4j2. -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org