zookeeper-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Enrico Olivelli (Jira)" <j...@apache.org>
Subject [jira] [Commented] (ZOOKEEPER-3677) owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer
Date Tue, 07 Jan 2020 23:30:00 GMT

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-3677?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17010162#comment-17010162
] 

Enrico Olivelli commented on ZOOKEEPER-3677:
--------------------------------------------

It looks like there is no fix in log4j and that the 1.x release branch is EOL.
We should drop it and use another logging implementation.
I feel the impact will be too big for this to be done in 3.6.0 as users will have to change
their configuration files for logging.

As we are not affected we could add an exclusion for 3.6 and move to log4j 2.x in 3.7 (or
logback)

On the other side it is possible that 3.6 will stay for quite a log time and I don't know
if we want to change the log framework on some 3.6.xy due to another issue in log4j that we
can't ignore.




> owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted
data in SocketServer
> -------------------------------------------------------------------------------------------------------------
>
>                 Key: ZOOKEEPER-3677
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3677
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: security
>            Reporter: Patrick D. Hunt
>            Priority: Major
>
> Doesn't look like this impacts us (we don't use SocketServer) however we should figure
out what to do as the owasp checker is failing and the rating is quite high (9.8 - bound to
get interest)
> https://nvd.nist.gov/vuln/detail/CVE-2019-17571
> Perhaps ZOOKEEPER-2342 should be prioritized.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message