Log4j critical vulnerability!!

[soufiene-aissa]

Hello,

Sparkpost still use old version of Log4j. We are facing problem to fix this alert. Because we cannot upgrade to the new project (https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core).

This is the description of the vulnerability :

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

Users are advised to migrate to org.apache.logging.log4j:log4j-core

Source : https://nvd.nist.gov/vuln/detail/CVE-2019-17571

Can you please fix it as soon as possible please?

Regards,

[yepher]

If you send a pull request this way is will be glad to review and merge it in.

[ThirumlaDevi]

@yepher @soufiene-aissa i did this migration from log4j 1.x to 2.x for one of my projects, one of reasons being to fix security vulneribility alerts. Will it be okay if I take this up, if it isn't already taken up?
This is the migration reference document that i'll be following --> reference

[ThirumlaDevi]

@yepher @soufiene-aissa I have raised the above PR which will fix this vulnerability CVE-2019-17571, in this project. Hope this helps, cheers ✌️

[yepher]

This is fixed in v0.24