You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Sylwester Lachiewicz (Jira)" <ji...@apache.org> on 2022/01/07 15:48:00 UTC

[jira] [Assigned] (MNG-7382) log4j remote security execution implicated in maven-compiler-plugin

     [ https://issues.apache.org/jira/browse/MNG-7382?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sylwester Lachiewicz reassigned MNG-7382:
-----------------------------------------

    Assignee: Sylwester Lachiewicz

> log4j remote security execution implicated in maven-compiler-plugin
> -------------------------------------------------------------------
>
>                 Key: MNG-7382
>                 URL: https://issues.apache.org/jira/browse/MNG-7382
>             Project: Maven
>          Issue Type: Bug
>          Components: Dependencies
>    Affects Versions: 3.8.4
>         Environment: Windows 10. But I know how to make it work like Linux. 
>            Reporter: Ronald Ayoub
>            Assignee: Sylwester Lachiewicz
>            Priority: Critical
>              Labels: security, vulnerability
>         Attachments: Capture.PNG
>
>
> I use maven to build a java war to a tomcat webapps directory. During this process, I've issued that I am not using log4j anywhere. Nevertheless, every time I build log4j appears in the .m2 directory. I walked dependencies trees and executed finds in a variety of directories and can't find the dependency. However, when I executed maven with verbose mode I found it. Apparently, the maven-compiler-plugin requires a old and vulnerable version of log4j. Worse yet, I believe Tomcat is using it dynamically without configuration by it's mere presence in the .m2 directory. Hence, a security scanner flagged my website as having the log4j vulnerability. 



--
This message was sent by Atlassian Jira
(v8.20.1#820001)