[MODINV-197] Fix security vulnerability reported in log4j >= 1.2, <= 1.2.27 - FOLIO Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: P2
Resolution: Done
Affects Version/s: 14.1.1, 16.0.0
Fix Version/s: 16.1.0
Labels:
- back-end
- security

Template:

Standard Bug Write-Up Format
Sprint:
Core: F - Sprint 92, Core: F - Sprint 93, Core: F - Sprint 94, Core: F - Sprint 96, Core: F - Sprint 97
Story Points:
3
Development Team:
Prokopovych

Description

CVE-2019-17571

moderate severity

*Vulnerable versions:* >= 1.2, <= 1.2.27

*Patched version:* No fix

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

TestRail: Results

Attachments

Issue Links

relates to

EDGRTAC-26 Fix security vulnerability reported in log4j 1.2

Closed

Activity

People

Assignee:: Unassigned

Reporter:: Peter Murray

Tester Assignee:: Peter Murray

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 28/Jan/20 5:29 PM

Updated:: 14/Sep/20 11:17 AM

Resolved:: 14/Sep/20 11:16 AM

Fix security vulnerability reported in log4j >= 1.2, <= 1.2.27