Source: apache-log4j1.2 Version: 1.2.17-8 Severity: grave Tags: security upstream Justification: user security hole Control: found -1 1.2.17-7 Control: found -1 1.2.17-5
Hi, The following vulnerability was published for apache-log4j1.2. CVE-2019-17571[0]: | Included in Log4j 1.2 is a SocketServer class that is vulnerable to | deserialization of untrusted data which can be exploited to remotely | execute arbitrary code when combined with a deserialization gadget | when listening to untrusted network traffic for log data. This affects | Log4j versions up to 1.2 up to 1.2.17. Note that this issue correponds to the old CVE-2017-5645 for the 2.x branch codebasis[1]. 1.2 reached end of life in 2015 accordingly, and the "right move" would be to switch to 2.x. Which raises a question from security support point of view: We would need to fade out apache-log4j1.2 for bullseye at least now right? From a quick check via a simulated dak rm, it looks right now impossible to actually remove it. Are there current plans from the Debian Java Maintainers for that? Or is there something I currently just miss from the big picture? If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-17571 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571 [1] https://www.openwall.com/lists/oss-security/2019/12/19/2 Regards, Salvatore