[
https://issues.apache.org/jira/browse/SAMZA-2683?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Daniel Chen updated SAMZA-2683:
--------------------------------
Description:
Scalatra 2.5.0 is pulling in outdated libraries, namely log4j:1.2.14 which
possesses security concerns:
"Included in Log4j 1.2 is a SocketServer class that is vulnerable to
deserialization of untrusted data which can be exploited to remotely execute
arbitrary code when combined with a deserialization gadget when listening to
untrusted network traffic for log data. This affects Log4j versions up to 1.2
up to 1.2.17. Users are advised to migrate to
`org.apache.logging.log4j:log4j-core` remediation: No fix is known for this
vulnerability"
The latest Scalatra 2.7.1 version no longer depends on this dangerous library
was:
Scalatra 2.5.0 is pulling in outdated libraries, namely log4j:1.2.14 which
possesses security concerns
The latest Scalatra 2.7.1 version no longer depends on this dangerous library
> Bump up Scalatra version to pull latest dependencies
> ----------------------------------------------------
>
> Key: SAMZA-2683
> URL: https://issues.apache.org/jira/browse/SAMZA-2683
> Project: Samza
> Issue Type: Improvement
> Affects Versions: 1.6
> Reporter: Daniel Chen
> Assignee: Daniel Chen
> Priority: Major
> Fix For: 1.7
>
>
> Scalatra 2.5.0 is pulling in outdated libraries, namely log4j:1.2.14 which
> possesses security concerns:
> "Included in Log4j 1.2 is a SocketServer class that is vulnerable to
> deserialization of untrusted data which can be exploited to remotely execute
> arbitrary code when combined with a deserialization gadget when listening to
> untrusted network traffic for log data. This affects Log4j versions up to 1.2
> up to 1.2.17. Users are advised to migrate to
> `org.apache.logging.log4j:log4j-core` remediation: No fix is known for this
> vulnerability"
> The latest Scalatra 2.7.1 version no longer depends on this dangerous library
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
