You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Robbie Gemmell (Jira)" <ji...@apache.org> on 2020/06/08 08:47:00 UTC
[jira] [Assigned] (QPIDJMS-503) Upgrade examples log4j dependency
to log4j2
[ https://issues.apache.org/jira/browse/QPIDJMS-503?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robbie Gemmell reassigned QPIDJMS-503:
--------------------------------------
Assignee: Robbie Gemmell
> Upgrade examples log4j dependency to log4j2
> -------------------------------------------
>
> Key: QPIDJMS-503
> URL: https://issues.apache.org/jira/browse/QPIDJMS-503
> Project: Qpid JMS
> Issue Type: Task
> Components: qpid-jms-client
> Affects Versions: 0.51.0
> Reporter: Alex Rudyy
> Assignee: Robbie Gemmell
> Priority: Major
> Fix For: 0.52.0
>
>
> The log4j 1.x reached EOL on August 5, 2015 as per [http://logging.apache.org/log4j/1.2/]. The client is distributes with an optional dependency log4j 1.2.17. There is [CVE-2019-17571|https://nvd.nist.gov/vuln/detail/CVE-2019-17571] raised against this version for class SocketServer that is vulnerable to deserialization of untrusted data. Though, no log4j configuration in the Qpid JMS client uses SocketServer, the open source scanning tools flag the JMS client bundle as being impacted by CVE-2019-17571.
> In order to silence such open source scanning tools the log4j dependencies can be upgraded to log4j2.
> Added detail for clarity: note the client itself has no dependency on Log4J, it is used in the tests, and the examples, and is in the release archive for use with those, but the actual client module does not use it (uses only SLF4J).
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org