While searching for software affected by the current CVE-2021-44228, I noticed that ADS is shipping with
apacheds-2.0.0.AM26/lib/apacheds-service-2.0.0.AM26.jar (org/apache/log4j/net/SocketNode.class): log4j 1.2.17
log4j 1.2 is EOL since 2015, and there is a RCE-bug, https://www.cvedetails.com/cve/CVE-2019-17571/ Could this be exploited? Are there any plans to replace it with a current version of log4j? Thanks, -- Infineon Technologies IT-Services GmbH [email protected] Lakeside B05, 9020 Klagenfurt, Austria Martin Schuster FB: LG Klagenfurt, FN 246787y +43 5 1777 3517 --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
