Skip to content

Critical vulnerability in log4j may affect generated PEAR projects

Critical severity GitHub Reviewed Published Dec 16, 2021 in averbis/pear-archetype • Updated Jan 9, 2023

Package

maven de.averbis.textanalysis:pear-archetype (Maven)

Affected versions

= 2.0.0

Patched versions

2.0.1

Description

Impact

UIMA PEAR projects that have been generated with the de.averbis.textanalysis:pear-archetype version 2.0.0 have a maven dependency with scope test to log4j 2.8.2 and might be affected by CVE-2021-44228.

Patches

  • The issue has been resolved in de.averbis.textanalysis:pear-archetype version 2.0.1. Please make sure to use de.averbis.textanalysis:pear-archetype version >= 2.0.1 for generating new PEAR projects.

  • Existing maven PEAR projects can be patched by manually upgrading to log4j >= 2.16.0 in pom.xml.

References

https://www.lunasec.io/docs/blog/log4j-zero-day/

For more information

If you have any questions or comments about this advisory:

References

@cgaege cgaege published to averbis/pear-archetype Dec 16, 2021
Reviewed Dec 16, 2021
Published to the GitHub Advisory Database Dec 16, 2021
Last updated Jan 9, 2023

Severity

Critical

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-j7c3-96rf-jrrp

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.