You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mina.apache.org by "Putra Nugraha (Jira)" <ji...@apache.org> on 2022/03/02 02:19:00 UTC
[jira] [Commented] (SSHD-1248) Log4J2 Security Vulneralibility ( CVE-2021-44832 )
[ https://issues.apache.org/jira/browse/SSHD-1248?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17499855#comment-17499855 ]
Putra Nugraha commented on SSHD-1248:
-------------------------------------
Hi [~twolf] ,
Sorry I deleted the comment as I found out a minute later that it is not from Mina SSHD as you mentioned. The Log4J dependencies came from the spring-boot-starter-parent which mentioned in this article [https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot.|https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot]
Thank you very much for the prompt and great supports, really sorry once again for the invalid information and inconvenience caused.
> Log4J2 Security Vulneralibility ( CVE-2021-44832 )
> --------------------------------------------------
>
> Key: SSHD-1248
> URL: https://issues.apache.org/jira/browse/SSHD-1248
> Project: MINA SSHD
> Issue Type: Question
> Affects Versions: 2.8.0
> Reporter: Putra Nugraha
> Priority: Major
> Attachments: effective-pom.xml, image-2022-02-28-15-06-13-418.png
>
>
> Upon checking a possible security vulnerabilities, I noticed MINA SSHD is using Log4J2 version 2.14.1 and Log4J2 made some fixes in the later version ( 2.17.1 for Java 8 ) which one if it is related to security vulnerabilities to RCE.
>
> May I know if there is any plan on MINA SSHD to adapt the above fix? Or can we please have this fixed if not planned?
>
> Further details on the above Log4J security vulnerabilities can be found here
> https://logging.apache.org/log4j/2.x/security.html
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@mina.apache.org
For additional commands, e-mail: dev-help@mina.apache.org