[
https://issues.apache.org/jira/browse/QPIDJMS-503?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robbie Gemmell resolved QPIDJMS-503.
------------------------------------
Resolution: Fixed
> Upgrade examples log4j dependency to log4j2
> -------------------------------------------
>
> Key: QPIDJMS-503
> URL: https://issues.apache.org/jira/browse/QPIDJMS-503
> Project: Qpid JMS
> Issue Type: Task
> Components: qpid-jms-client
> Affects Versions: 0.51.0
> Reporter: Alex Rudyy
> Priority: Major
> Fix For: 0.52.0
>
>
> The log4j 1.x reached EOL on August 5, 2015 as per
> [http://logging.apache.org/log4j/1.2/]. The client is distributes with an
> optional dependency log4j 1.2.17. There is
> [CVE-2019-17571|https://nvd.nist.gov/vuln/detail/CVE-2019-17571] raised
> against this version for class SocketServer that is vulnerable to
> deserialization of untrusted data. Though, no log4j configuration in the Qpid
> JMS client uses SocketServer, the open source scanning tools flag the JMS
> client bundle as being impacted by CVE-2019-17571.
> In order to silence such open source scanning tools the log4j dependencies
> can be upgraded to log4j2.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org
