zookeeper-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ph...@apache.org
Subject [zookeeper] branch branch-3.6 updated: ZOOKEEPER-3677: owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer
Date Sat, 18 Jan 2020 19:07:37 GMT
This is an automated email from the ASF dual-hosted git repository.

phunt pushed a commit to branch branch-3.6
in repository https://gitbox.apache.org/repos/asf/zookeeper.git


The following commit(s) were added to refs/heads/branch-3.6 by this push:
     new b4d9e57  ZOOKEEPER-3677: owasp checker failing for - CVE-2019-17571 Apache Log4j
1.2 deserialization of untrusted data in SocketServer
b4d9e57 is described below

commit b4d9e5730b44cad90c70c1271b895e7fdda5af06
Author: Enrico Olivelli <eolivelli@apache.org>
AuthorDate: Sat Jan 18 11:06:01 2020 -0800

    ZOOKEEPER-3677: owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization
of untrusted data in SocketServer
    
    Suppress error for CVE-2019-17571 as it does not affect us.
    We are not running the log4j server.
    
    Author: Enrico Olivelli <eolivelli@apache.org>
    
    Reviewers: phunt@apache.org
    
    Closes #1209 from eolivelli/fix/ZOOKEEPER-3677-owasp-log4j
    
    Change-Id: I0ef24a7b142cd32ccf4f5c18f9e0c0132a413d6c
    (cherry picked from commit 3bd6b1950eea1fabeac4bc477c8828939d008a4a)
    Signed-off-by: Patrick Hunt <phunt@apache.org>
---
 owaspSuppressions.xml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/owaspSuppressions.xml b/owaspSuppressions.xml
index 5c4bc33..ae94db4 100644
--- a/owaspSuppressions.xml
+++ b/owaspSuppressions.xml
@@ -41,4 +41,9 @@
            this writing  -->
       <cve>CVE-2019-3826</cve>
    </suppress>
+   <suppress>
+      <!-- false positive for us, it is about log4j server in log4j-1.2.17.jar
+           ZOOKEEPER-3677 -->
+      <cve>CVE-2019-17571</cve>
+   </suppress>
 </suppressions>


Mime
View raw message