You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@struts.apache.org by "Lukasz Lenart (Jira)" <ji...@apache.org> on 2021/12/12 12:14:00 UTC

[jira] [Resolved] (WW-5151) Bump to 2.15.0 to fix log4j vulnerability

     [ https://issues.apache.org/jira/browse/WW-5151?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Lukasz Lenart resolved WW-5151.
-------------------------------
    Resolution: Fixed

PR got merged, thanks!

> Bump to 2.15.0 to fix log4j vulnerability
> -----------------------------------------
>
>                 Key: WW-5151
>                 URL: https://issues.apache.org/jira/browse/WW-5151
>             Project: Struts 2
>          Issue Type: Dependency
>          Components: Core Actions, Other
>    Affects Versions: 2.5.20, 2.5.22, 2.5.25, 2.5.26, 2.5.27
>         Environment: Any version that uses log4j before 2.15.0
>            Reporter: Paulino Calderon
>            Priority: Critical
>             Fix For: 2.6
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> Hello,
> It seems Apache struts is affected by the [log4j vulnerability|https://www.lunasec.io/docs/blog/log4j-zero-day/]. I've shared my findings with the security team privately where you could review the vulnerable code paths.
>  
> Github PR: https://github.com/apache/struts/pull/511



--
This message was sent by Atlassian Jira
(v8.20.1#820001)