You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@zookeeper.apache.org by "Donatello (Jira)" <ji...@apache.org> on 2022/03/14 14:31:00 UTC
[jira] (ZOOKEEPER-3677) owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer
[ https://issues.apache.org/jira/browse/ZOOKEEPER-3677 ]
Donatello deleted comment on ZOOKEEPER-3677:
--------------------------------------
was (Author: donatello):
CVE-2019-17571 20 Dec 2019 CWE-502 Deserialization of Untrusted Data is still seen as a critical vulnerability by zookeeper:3.6.3 image scan tools.
I don't understand comments like "we are not affected by the problem".
If the logging configuration is modified to use a SocketAppender, the vulnerability is still there.
However, migrating to log4j2 requires changing the logging configuration structure, and I can understand it's kind of a breaking change (if we are really careful about potential backward compatibility issue).
So the question is: what stable version, clean of any vulnerability we can use today ?
Spoiler: the answer is: none.
> owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer
> -------------------------------------------------------------------------------------------------------------
>
> Key: ZOOKEEPER-3677
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3677
> Project: ZooKeeper
> Issue Type: Task
> Components: security
> Reporter: Patrick D. Hunt
> Assignee: Enrico Olivelli
> Priority: Major
> Labels: pull-request-available
> Fix For: 3.7.0, 3.5.7, 3.6.1
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Doesn't look like this impacts us (we don't use SocketServer) however we should figure out what to do as the owasp checker is failing and the rating is quite high (9.8 - bound to get interest)
> https://nvd.nist.gov/vuln/detail/CVE-2019-17571
> Perhaps ZOOKEEPER-2342 should be prioritized.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)