You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@logging.apache.org by "Ralph Goers (Jira)" <ji...@apache.org> on 2020/03/04 00:43:00 UTC
[jira] [Closed] (LOG4J2-2796) CVEs in the execution path imported
by dependencies
[ https://issues.apache.org/jira/browse/LOG4J2-2796?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ralph Goers closed LOG4J2-2796.
-------------------------------
Resolution: Invalid
None of these issues are relevant.
> CVEs in the execution path imported by dependencies
> ---------------------------------------------------
>
> Key: LOG4J2-2796
> URL: https://issues.apache.org/jira/browse/LOG4J2-2796
> Project: Log4j 2
> Issue Type: Dependency upgrade
> Reporter: XuCongying
> Priority: Major
> Attachments: apache-logging-log4j2_CVE-report.md
>
>
> Hello, Your project are using some dependencies with CVEs. I found that the buggy methods of the CVEs are in the program execution path of your project. To prevent potential security risks it may cause, I suggest to update the library dependency. Please look into the details below.
> * *Vulnerable Dependency:* org.slf4j : slf4j-ext : 1.7.25
> * *Call Chain to Buggy Methods:*
> ** *Some files in your project call the library method org.slf4j.ext.EventData.getMessage(), which can reach the buggy method of [CVE-2018-8088|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8088].*
> *** Files in your project: log4j-slf4j-impl/src/main/java/org/apache/logging/slf4j/EventDataConverter.java
> *** One of the possible call chain:
> org.slf4j.ext.EventData.getMessage() [buggy method]
> ** *Some files in your project call the library method org.slf4j.ext.EventData.getEventMap(), which can reach the buggy method of [CVE-2018-8088|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8088].*
> *** Files in your project: log4j-slf4j-impl/src/main/java/org/apache/logging/slf4j/EventDataConverter.java
> *** One of the possible call chain:
> org.slf4j.ext.EventData.getEventMap() [buggy method]
> ** *Some files in your project call the library method org.slf4j.ext.EventData.getEventType(), which can reach the buggy method of [CVE-2018-8088|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8088].*
> *** Files in your project: log4j-slf4j-impl/src/main/java/org/apache/logging/slf4j/EventDataConverter.java
> *** One of the possible call chain:
> org.slf4j.ext.EventData.getEventType() [buggy method]
> ** *Some files in your project call the library method org.slf4j.ext.EventData.getEventId(), which can reach the buggy method of [CVE-2018-8088|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8088].*
> *** Files in your project: log4j-slf4j-impl/src/main/java/org/apache/logging/slf4j/EventDataConverter.java
> *** One of the possible call chain:
> org.slf4j.ext.EventData.getEventId() [buggy method]
> ** *Update suggestion:* version 1.8.0-beta2 1.8.0-beta2 is a safe version without CVEs. From 1.7.25 to 1.8.0-beta2, the APIs used in your project have not changed.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)