You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@zookeeper.apache.org by "Enrico Olivelli (Jira)" <ji...@apache.org> on 2020/01/07 23:30:00 UTC
[jira] [Commented] (ZOOKEEPER-3677) owasp checker failing for -
CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in
SocketServer
[ https://issues.apache.org/jira/browse/ZOOKEEPER-3677?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17010162#comment-17010162 ]
Enrico Olivelli commented on ZOOKEEPER-3677:
--------------------------------------------
It looks like there is no fix in log4j and that the 1.x release branch is EOL.
We should drop it and use another logging implementation.
I feel the impact will be too big for this to be done in 3.6.0 as users will have to change their configuration files for logging.
As we are not affected we could add an exclusion for 3.6 and move to log4j 2.x in 3.7 (or logback)
On the other side it is possible that 3.6 will stay for quite a log time and I don't know if we want to change the log framework on some 3.6.xy due to another issue in log4j that we can't ignore.
> owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer
> -------------------------------------------------------------------------------------------------------------
>
> Key: ZOOKEEPER-3677
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3677
> Project: ZooKeeper
> Issue Type: Bug
> Components: security
> Reporter: Patrick D. Hunt
> Priority: Major
>
> Doesn't look like this impacts us (we don't use SocketServer) however we should figure out what to do as the owasp checker is failing and the rating is quite high (9.8 - bound to get interest)
> https://nvd.nist.gov/vuln/detail/CVE-2019-17571
> Perhaps ZOOKEEPER-2342 should be prioritized.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)