You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@zookeeper.apache.org by "zhaozhengbin (Jira)" <ji...@apache.org> on 2021/05/28 02:51:00 UTC

[jira] [Created] (ZOOKEEPER-4305) log4j CVE problem

zhaozhengbin created ZOOKEEPER-4305:
---------------------------------------

             Summary: log4j CVE problem
                 Key: ZOOKEEPER-4305
                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4305
             Project: ZooKeeper
          Issue Type: Bug
          Components: security
    Affects Versions: 3.6.2, 3.7
            Reporter: zhaozhengbin


Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data.this affects Log4j versions up to 1.2 up to 1.2.17.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)