[jira] [Commented] (LOG4J2-2796) CVEs in the execution path imported by dependencies

Thu, 05 Mar 2020 20:50:01 -0800 


    [ 
https://issues.apache.org/jira/browse/LOG4J2-2796?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17053019#comment-17053019
 ] 

XuCongying commented on LOG4J2-2796:
------------------------------------

I know that. Thank you very much.

> CVEs in the execution path imported by dependencies
> ---------------------------------------------------
>
>                 Key: LOG4J2-2796
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-2796
>             Project: Log4j 2
>          Issue Type: Dependency upgrade
>            Reporter: XuCongying
>            Priority: Major
>         Attachments: apache-logging-log4j2_CVE-report.md
>
>
> Hello, Your project are using some dependencies with CVEs. I found that the 
> buggy methods of the CVEs are in the program execution path of your project. 
> To prevent potential security risks it may cause, I suggest to update the 
> library dependency. Please look into the details below.
>  * *Vulnerable Dependency:* org.slf4j : slf4j-ext : 1.7.25
>  * *Call Chain to Buggy Methods:*
>  ** *Some files in your project call the library method 
> org.slf4j.ext.EventData.getMessage(), which can reach the buggy method of 
> [CVE-2018-8088|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8088].*
>  *** Files in your project:  
> log4j-slf4j-impl/src/main/java/org/apache/logging/slf4j/EventDataConverter.java
>  *** One of the possible call chain:
> org.slf4j.ext.EventData.getMessage() [buggy method]
>  ** *Some files in your project call the library method 
> org.slf4j.ext.EventData.getEventMap(), which can reach the buggy method of 
> [CVE-2018-8088|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8088].*
>  *** Files in your project:  
> log4j-slf4j-impl/src/main/java/org/apache/logging/slf4j/EventDataConverter.java
>  *** One of the possible call chain:
> org.slf4j.ext.EventData.getEventMap() [buggy method]
>  ** *Some files in your project call the library method 
> org.slf4j.ext.EventData.getEventType(), which can reach the buggy method of 
> [CVE-2018-8088|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8088].*
>  *** Files in your project:  
> log4j-slf4j-impl/src/main/java/org/apache/logging/slf4j/EventDataConverter.java
>  *** One of the possible call chain:
> org.slf4j.ext.EventData.getEventType() [buggy method]
>  ** *Some files in your project call the library method 
> org.slf4j.ext.EventData.getEventId(), which can reach the buggy method of 
> [CVE-2018-8088|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8088].*
>  *** Files in your project:  
> log4j-slf4j-impl/src/main/java/org/apache/logging/slf4j/EventDataConverter.java
>  *** One of the possible call chain:
> org.slf4j.ext.EventData.getEventId() [buggy method]
>  ** *Update suggestion:* version 1.8.0-beta2 1.8.0-beta2 is a safe version 
> without CVEs. From 1.7.25 to 1.8.0-beta2, the APIs used in your project have 
> not changed.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to