You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@struts.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2021/12/12 12:13:00 UTC

[jira] [Commented] (WW-5151) Bump to 2.15.0 to fix log4j vulnerability

    [ https://issues.apache.org/jira/browse/WW-5151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17457939#comment-17457939 ] 

ASF subversion and git services commented on WW-5151:
-----------------------------------------------------

Commit 764d3c0076cb35bbec9447e09bbe8c3bd406b3a4 in struts's branch refs/heads/master from Lukasz Lenart
[ https://gitbox.apache.org/repos/asf?p=struts.git;h=764d3c0 ]

Merge pull request #511 from cldrn/patch-1

[WW-5151] Bump to 2.15.0 to fix log4j vulnerability

> Bump to 2.15.0 to fix log4j vulnerability
> -----------------------------------------
>
>                 Key: WW-5151
>                 URL: https://issues.apache.org/jira/browse/WW-5151
>             Project: Struts 2
>          Issue Type: Dependency
>          Components: Core Actions, Other
>    Affects Versions: 2.5.20, 2.5.22, 2.5.25, 2.5.26, 2.5.27
>         Environment: Any version that uses log4j before 2.15.0
>            Reporter: Paulino Calderon
>            Priority: Critical
>             Fix For: 2.6
>
>
> Hello,
> It seems Apache struts is affected by the [log4j vulnerability|https://www.lunasec.io/docs/blog/log4j-zero-day/]. I've shared my findings with the security team privately where you could review the vulnerable code paths.
>  
> Github PR: https://github.com/apache/struts/pull/511



--
This message was sent by Atlassian Jira
(v8.20.1#820001)