You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@logging.apache.org by Volkan Yazıcı <vo...@yazi.ci> on 2021/12/13 09:31:36 UTC
LOG4J2-3213 CVE missing CPE information in NVD
Mind somebody helping with LOG4J2-3213
<https://issues.apache.org/jira/browse/LOG4J2-3213>, please? I have no idea
how this entire CVE process is managed and updated. I would appreciate it
if the one who performs the correction can also share how he/she did that.
So that next time first-timers like me can also help.
Re: LOG4J2-3213 CVE missing CPE information in NVD
Posted by Matt Sicker <bo...@gmail.com>.
I did not fix that. As for how they’re made, I found the CPE database and searched for log4j to find the existing strings.
As for editing CVEs, that’s through this site: https://cveprocess.apache.org/
--
Matt Sicker
> On Dec 13, 2021, at 16:04, Volkan Yazıcı <vo...@yazi.ci> wrote:
>
> Matt, I see that it is fixed in
> https://nvd.nist.gov/vuln/detail/CVE-2021-44228
> Did you do it? If so,
> 1. How did you come up with CPEs?
> 2. How did you edit the CVE?
>
>
> On Mon, Dec 13, 2021 at 6:50 PM Matt Sicker <bo...@gmail.com> wrote:
>
>> Based on existing CPEs, I think it would look something like:
>>
>> cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:* up to version 2.14.1 are affected.
>>
>> On Mon, Dec 13, 2021 at 3:31 AM Volkan Yazıcı <vo...@yazi.ci> wrote:
>>>
>>> Mind somebody helping with LOG4J2-3213
>>> <https://issues.apache.org/jira/browse/LOG4J2-3213>, please? I have no
>> idea
>>> how this entire CVE process is managed and updated. I would appreciate it
>>> if the one who performs the correction can also share how he/she did
>> that.
>>> So that next time first-timers like me can also help.
>>
Re: LOG4J2-3213 CVE missing CPE information in NVD
Posted by Volkan Yazıcı <vo...@yazi.ci>.
Matt, I see that it is fixed in
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
Did you do it? If so,
1. How did you come up with CPEs?
2. How did you edit the CVE?
On Mon, Dec 13, 2021 at 6:50 PM Matt Sicker <bo...@gmail.com> wrote:
> Based on existing CPEs, I think it would look something like:
>
> cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:* up to version 2.14.1 are affected.
>
> On Mon, Dec 13, 2021 at 3:31 AM Volkan Yazıcı <vo...@yazi.ci> wrote:
> >
> > Mind somebody helping with LOG4J2-3213
> > <https://issues.apache.org/jira/browse/LOG4J2-3213>, please? I have no
> idea
> > how this entire CVE process is managed and updated. I would appreciate it
> > if the one who performs the correction can also share how he/she did
> that.
> > So that next time first-timers like me can also help.
>
Re: LOG4J2-3213 CVE missing CPE information in NVD
Posted by Matt Sicker <bo...@gmail.com>.
Based on existing CPEs, I think it would look something like:
cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:* up to version 2.14.1 are affected.
On Mon, Dec 13, 2021 at 3:31 AM Volkan Yazıcı <vo...@yazi.ci> wrote:
>
> Mind somebody helping with LOG4J2-3213
> <https://issues.apache.org/jira/browse/LOG4J2-3213>, please? I have no idea
> how this entire CVE process is managed and updated. I would appreciate it
> if the one who performs the correction can also share how he/she did that.
> So that next time first-timers like me can also help.