[
https://issues.apache.org/jira/browse/CASSANDRA-19142?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17792091#comment-17792091
]
Brandon Williams commented on CASSANDRA-19142:
----------------------------------------------
>From https://logback.qos.ch/news.html#1.3.12 :
{quote}
Fixed vulnerability of a potential denial of service attack on a centralized
logback receiver when a third party controlling a remote appender connects to
said receiver and could shut down or slow down logging of events.
{quote}
We don't ship logback in a remote configuration, and even so I don't think we
need to worry about third party appenders, so I propose we suppress.
||Branch||CI||
|[3.0|https://github.com/driftx/cassandra/tree/CASSANDRA-19142-3.0]|[j8|https://app.circleci.com/pipelines/github/driftx/cassandra/1401/workflows/788a6f28-5856-4b70-8507-d4159311a325]|
|[3.11|https://github.com/driftx/cassandra/tree/CASSANDRA-19142-3.11]|[j8|https://app.circleci.com/pipelines/github/driftx/cassandra/1398/workflows/1087c97a-02ef-4417-9b9d-008dda906ce4]|
|[4.0|https://github.com/driftx/cassandra/tree/CASSANDRA-19142-4.0]|[j8|https://app.circleci.com/pipelines/github/driftx/cassandra/1399/workflows/76bc784a-1bd8-4144-a2f1-2b79a6f19b50],
[j11|https://app.circleci.com/pipelines/github/driftx/cassandra/1399/workflows/0c9d8aa5-2d91-42fa-9c22-4b11dab67550]|
|[4.1|https://github.com/driftx/cassandra/tree/CASSANDRA-19142-4.1]|[j8|https://app.circleci.com/pipelines/github/driftx/cassandra/1402/workflows/52e25c2d-e686-4acb-bc85-853f4bd76168],
[j11|https://app.circleci.com/pipelines/github/driftx/cassandra/1402/workflows/e763e7ca-cec1-44e3-87e9-8643acb390c7]|
|[5.0|https://github.com/driftx/cassandra/tree/CASSANDRA-19142-5.0]|[j11|https://app.circleci.com/pipelines/github/driftx/cassandra/1400/workflows/584c05aa-e4f8-444a-9eda-861e0ca236fa],
[j17|https://app.circleci.com/pipelines/github/driftx/cassandra/1400/workflows/ff8a0d20-d8c7-43dd-a013-d1d8152b63db]|
|[trunk|https://github.com/driftx/cassandra/tree/CASSANDRA-19142-trunk]|[j11|https://app.circleci.com/pipelines/github/driftx/cassandra/1403/workflows/d966c040-ad0a-4ceb-a30c-771b16244192],
[j17|https://app.circleci.com/pipelines/github/driftx/cassandra/1403/workflows/b0f78647-91f3-437a-b64b-a37cc0aa36ef]|
> logback-core-1.2.12.jar vulnerability: CVE-2023-6378
> ----------------------------------------------------
>
> Key: CASSANDRA-19142
> URL: https://issues.apache.org/jira/browse/CASSANDRA-19142
> Project: Cassandra
> Issue Type: Bug
> Components: Dependencies
> Reporter: Brandon Williams
> Assignee: Brandon Williams
> Priority: Normal
> Fix For: 3.0.x, 3.11.x, 4.0.x, 4.1.x, 5.0-rc, 5.x
>
>
> https://nvd.nist.gov/vuln/detail/CVE-2023-6378
> {quote}
> A serialization vulnerability in logback receiver component part of logback
> version 1.4.11 allows an attacker to mount a Denial-Of-Service attack by
> sending poisoned data.
> {quote}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
