Critical vulnerability in log4j may affect generated PEAR projects
Critical severity
GitHub Reviewed
Published
Dec 16, 2021
in
averbis/pear-archetype
•
Updated Jan 9, 2023
Package
Affected versions
= 2.0.0
Patched versions
2.0.1
Description
Reviewed
Dec 16, 2021
Published to the GitHub Advisory Database
Dec 16, 2021
Last updated
Jan 9, 2023
Impact
UIMA PEAR projects that have been generated with the
de.averbis.textanalysis:pear-archetype
version2.0.0
have a maven dependency with scopetest
tolog4j 2.8.2
and might be affected by CVE-2021-44228.Patches
The issue has been resolved in
de.averbis.textanalysis:pear-archetype
version2.0.1
. Please make sure to usede.averbis.textanalysis:pear-archetype
version >=2.0.1
for generating new PEAR projects.Existing maven PEAR projects can be patched by manually upgrading to
log4j
>=2.16.0
inpom.xml
.References
https://www.lunasec.io/docs/blog/log4j-zero-day/
For more information
If you have any questions or comments about this advisory:
References