You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@zookeeper.apache.org by ph...@apache.org on 2020/01/18 19:07:55 UTC
[zookeeper] branch branch-3.5 updated: ZOOKEEPER-3677: owasp
checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of
untrusted data in SocketServer
This is an automated email from the ASF dual-hosted git repository.
phunt pushed a commit to branch branch-3.5
in repository https://gitbox.apache.org/repos/asf/zookeeper.git
The following commit(s) were added to refs/heads/branch-3.5 by this push:
new df1dc82 ZOOKEEPER-3677: owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer
df1dc82 is described below
commit df1dc8204fdb79276f10169fbd115f24012f4b21
Author: Enrico Olivelli <eo...@apache.org>
AuthorDate: Sat Jan 18 11:06:01 2020 -0800
ZOOKEEPER-3677: owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer
Suppress error for CVE-2019-17571 as it does not affect us.
We are not running the log4j server.
Author: Enrico Olivelli <eo...@apache.org>
Reviewers: phunt@apache.org
Closes #1209 from eolivelli/fix/ZOOKEEPER-3677-owasp-log4j
Change-Id: I0ef24a7b142cd32ccf4f5c18f9e0c0132a413d6c
(cherry picked from commit 3bd6b1950eea1fabeac4bc477c8828939d008a4a)
Signed-off-by: Patrick Hunt <ph...@apache.org>
---
owaspSuppressions.xml | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/owaspSuppressions.xml b/owaspSuppressions.xml
index 5c4bc33..ae94db4 100644
--- a/owaspSuppressions.xml
+++ b/owaspSuppressions.xml
@@ -41,4 +41,9 @@
this writing -->
<cve>CVE-2019-3826</cve>
</suppress>
+ <suppress>
+ <!-- false positive for us, it is about log4j server in log4j-1.2.17.jar
+ ZOOKEEPER-3677 -->
+ <cve>CVE-2019-17571</cve>
+ </suppress>
</suppressions>