ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matt Sicker <boa...@gmail.com>
Subject Re: [SECURITY] CVE-2017-5645: Apache Ant 1.9.9 and 1.10.1 - Apache Log4j 1.2.13 security vulnerability
Date Wed, 07 Feb 2018 21:16:41 GMT
After 2.8.2, there's a class whitelist used for deserializing data in the
receiver.

On 7 February 2018 at 12:19, Gintautas Grigelionis <g.grigelionis@gmail.com>
wrote:

> Sorry, could you please clarify whether there different aspects pertaining
> to 1.x and 2.x up to and after 2.8.2?
>
> Thanks, Gintas
>
> 2018-02-07 19:10 GMT+01:00 Matt Sicker <boards@gmail.com>:
>
> > Based on that version, this is related to using Java serialization for
> > logs. The general workaround here is to use a different format like JSON
> > instead to avoid the vulnerability entirely.
> >
> > On 7 February 2018 at 12:03, Gintautas Grigelionis <
> > g.grigelionis@gmail.com>
> > wrote:
> >
> > > Exactly, what I meant is that it's worth pointing out that not even all
> > > versions of log4j 2.x are safe.
> > >
> > > Gintas
> > >
> > > 2018-02-07 18:18 GMT+01:00 Stefan Bodewig <bodewig@apache.org>:
> > >
> > > > On 2018-02-07, Gintautas Grigelionis wrote:
> > > >
> > > > > The CVE says it affects SocketServer up to Log4j 2.8.2, so it's not
> > > only
> > > > > Log4j 1.x issue. Did I miss something?
> > > >
> > > > The subject is how it has been reported to us.
> > > >
> > > > Prior to the latest releases you have not been able to use log4j2 so
> > > > there is no reason to talk about those versions. The recommended
> > > > mitigation of "don't use Log4JListener or use the log4j2-bridge" is
> > > > correct, one might add "of a log4j 2.x version that is not vulnerable
> > to
> > > > the attack".
> > > >
> > > > Stefan
> > > >
> > > > ------------------------------------------------------------
> ---------
> > > > To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
> > > > For additional commands, e-mail: dev-help@ant.apache.org
> > > >
> > > >
> > >
> >
> >
> >
> > --
> > Matt Sicker <boards@gmail.com>
> >
>



-- 
Matt Sicker <boards@gmail.com>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message