You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tinkerpop.apache.org by "Dan Snoddy (Jira)" <ji...@apache.org> on 2021/03/16 14:35:00 UTC

[jira] [Updated] (TINKERPOP-2534) Log4j flagged as critical security violation

     [ https://issues.apache.org/jira/browse/TINKERPOP-2534?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Dan Snoddy updated TINKERPOP-2534:
----------------------------------
    Issue Type: Improvement  (was: Bug)

> Log4j flagged as critical security violation
> --------------------------------------------
>
>                 Key: TINKERPOP-2534
>                 URL: https://issues.apache.org/jira/browse/TINKERPOP-2534
>             Project: TinkerPop
>          Issue Type: Improvement
>          Components: console, server
>    Affects Versions: 3.4.10
>            Reporter: Dan Snoddy
>            Priority: Major
>
> Gremlin server and console include log4j 1.2, which end-of-life'd > 5 years ago. 
> Security scanning software (twistlock), flags log4j 1.2 as a critical security violation, and hence prohibits deployment.
> CRITICAL:
> Attack complexity: low,Attack vector: network,Critical severity,Remote execution
> CVE-2019-17571
> [+https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-17571+]
> {color:#000000}Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.{color}
>  
> Is there a plan to remove log4j 1.2 so that installation of either gremlin server or console do not include the jars that trigger this security issue?



--
This message was sent by Atlassian Jira
(v8.3.4#803005)