You are viewing a plain text version of this content. The canonical link for it is here.

Posted to announce@apache.org by jh...@apache.org on 2018/02/07 07:24:44 UTC

[SECURITY] CVE-2017-5645: Apache Ant 1.9.9 and 1.10.1 - Apache Log4j 1.2.13 security vulnerability

CVE-2017-5645: Apache Ant 1.9.9 and 1.10.1 - Apache Log4j 1.2.13 security
vulnerability


Severity: low
Vendor: The Apache Software Foundation
Versions Affected:
  Apache Ant 1.9.0 - 1.9.9
  Apache Ant 1.10.0 - 1.10.1
  The unsupported Apache Ant 1.8 and lower versions are also affected.
Description:
  When using Apache Ants Log4jListener there could be a security issue with
the
  underlying Apache Log4j library in version 1.x. 
  Please note that Log4j 1.x has reached its end of life and is no longer
maintained. 
  For details about migrating away from Log4j 1.x please consult with the
Apache Log4j team.
Mitigation:
  Users should not use the Log4JListener or use the log4j2-bridge.
  (Using the bridge requires Ant 1.9.10+ or Ant 1.10.2+.)
Credit: 
  This issue was discovered by Wade Schwarz of Oracle.
 
 
-Jan Matèrne
on behalf of the Apache Ant PMC