Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[fix][sec] Fix CVEs introduced by log4j 1.2.17 #236

Merged
merged 1 commit into from Feb 7, 2023
Merged

[fix][sec] Fix CVEs introduced by log4j 1.2.17 #236

merged 1 commit into from Feb 7, 2023

Conversation

alpreu
Copy link
Contributor

@alpreu alpreu commented Jan 19, 2023

Fixes #234

Motivation

Fixes CVE-2019-17571, CVE-2020-9488, CVE-2022-23302, CVE-2022-23305, CVE-2022-23307 by excluding log4j in favor of the log4j2 bridge

Modifications

Exclude log4j in pom.xml and add log4j-1.2-api dependency to bridge to 2.X version

Verifying this change

  • Make sure that the change passes the CI checks.

This change is already covered by existing tests, such as (please describe tests).

Documentation

Check the box below.

Need to update docs?

  • doc-required

    (If you need help on updating docs, create a doc issue)

  • no-need-doc

    (Please explain why)

  • doc

    (If this PR contains doc changes)

@alpreu alpreu marked this pull request as ready for review January 19, 2023 14:48
@alpreu alpreu requested a review from a team as a code owner January 19, 2023 14:48
@alpreu alpreu merged commit 242b65a into master Feb 7, 2023
@delete-merged-branch delete-merged-branch bot deleted the fix-log4j-cve branch February 7, 2023 09:04
hangc0276 pushed a commit that referenced this pull request Feb 13, 2023
@hangc0276
[fix][sec] Fix CVEs introduced by log4j 1.2.17 (#236)
b2e6780 
Fixes CVE-2019-17571, CVE-2020-9488, CVE-2022-23302, CVE-2022-23305, CVE-2022-23307 by excluding log4j in favor of the log4j2 bridge

(cherry picked from commit 242b65a)
hangc0276 pushed a commit that referenced this pull request Feb 28, 2023
@hangc0276
[fix][sec] Fix CVEs introduced by log4j 1.2.17 (#236)
6273dba 
Fixes CVE-2019-17571, CVE-2020-9488, CVE-2022-23302, CVE-2022-23305, CVE-2022-23307 by excluding log4j in favor of the log4j2 bridge

(cherry picked from commit 242b65a)
hangc0276 pushed a commit that referenced this pull request Feb 28, 2023
@hangc0276
[fix][sec] Fix CVEs introduced by log4j 1.2.17 (#236)
2b04afd 
Fixes CVE-2019-17571, CVE-2020-9488, CVE-2022-23302, CVE-2022-23305, CVE-2022-23307 by excluding log4j in favor of the log4j2 bridge

(cherry picked from commit 242b65a)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hangc0276 hangc0276 hangc0276 approved these changes

@danpi danpi danpi approved these changes

@zymap zymap Awaiting requested review from zymap

Assignees

@alpreu alpreu

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[CVE] Verizon requests a fix for log4j 1.2.17 vulnerabilities
3 participants
@alpreu @hangc0276 @danpi