Synopsys: Automated PR: Update log4j:log4j:1.2.17 to 1.3alpha8-temp #19
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Vulnerabilities associated with log4j:log4j:1.2.17
BDSA-2019-4008 (CRITICAL): Apache Log4j is vulnerable to remote code execution (RCE). This allows a remote attacker to send a crafted serialized payload that, when processed by Log4j, will execute arbitrary code. This can occur if Log4j is deserializing untrusted network traffic.
BDSA-2021-3764 (HIGH): Log4j 1.x versions are vulnerable to deserializing untrusted data if configured to use
JMSAppender(which is not the default). A remote attacker could leverage this to execute arbitrary code on the underlying system with the privileges of the application that is running Log4j.Note that Log4j 1.x has been marked EOL for many years and has not received updates in this time.
BDSA-2021-4371 (HIGH): Apache chainsaw is vulnerable to a deserialization of untrusted data flaw. A remote attacker could leverage this to cause remote code execution (RCE).
BDSA-2022-0117 (HIGH): Log4j is vulnerable to remote code execution (RCE) due to the deserialization of untrusted data. An attacker that is able to make the JMSSink component submit requests to a given LDAP server could load malicious Java classes into the vulnerable application's memory by leveraging the JNDI class-loading capability.
In order to exploit this vulnerability, the attacker must be able to control the configuration of Log4j, or must have access to an LDAP server which the JMSSink component is configured to use. Log4j must also be configured to utilize JMSSink, which is not used by default.
BDSA-2022-0118 (HIGH): Apache Log4j is vulnerable to a remote code execution (RCE) issue due to how the Apache Chainsaw component can unsafely deserialize user controlled input.
An attacker could send crafted input to the application in order to abuse the flaw and execute malicious code on the system.
Note: The Apache Chainsaw deserialization vulnerability has been reported as CVE-2020-9493 and affects EOL Apache Log4j 1.2.x versions that include this component.
Click Here To See More Details On Server