zookeeper-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ph...@apache.org
Subject [zookeeper] branch master updated: ZOOKEEPER-3677: owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer
Date Sat, 18 Jan 2020 19:06:15 GMT
This is an automated email from the ASF dual-hosted git repository.

phunt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/zookeeper.git


The following commit(s) were added to refs/heads/master by this push:
     new 3bd6b19  ZOOKEEPER-3677: owasp checker failing for - CVE-2019-17571 Apache Log4j
1.2 deserialization of untrusted data in SocketServer
3bd6b19 is described below

commit 3bd6b1950eea1fabeac4bc477c8828939d008a4a
Author: Enrico Olivelli <eolivelli@apache.org>
AuthorDate: Sat Jan 18 11:06:01 2020 -0800

    ZOOKEEPER-3677: owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization
of untrusted data in SocketServer
    
    Suppress error for CVE-2019-17571 as it does not affect us.
    We are not running the log4j server.
    
    Author: Enrico Olivelli <eolivelli@apache.org>
    
    Reviewers: phunt@apache.org
    
    Closes #1209 from eolivelli/fix/ZOOKEEPER-3677-owasp-log4j
    
    Change-Id: I0ef24a7b142cd32ccf4f5c18f9e0c0132a413d6c
---
 owaspSuppressions.xml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/owaspSuppressions.xml b/owaspSuppressions.xml
index 5c4bc33..ae94db4 100644
--- a/owaspSuppressions.xml
+++ b/owaspSuppressions.xml
@@ -41,4 +41,9 @@
            this writing  -->
       <cve>CVE-2019-3826</cve>
    </suppress>
+   <suppress>
+      <!-- false positive for us, it is about log4j server in log4j-1.2.17.jar
+           ZOOKEEPER-3677 -->
+      <cve>CVE-2019-17571</cve>
+   </suppress>
 </suppressions>


Mime
View raw message