[
https://issues.apache.org/jira/browse/DIRMINA-1158?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17481239#comment-17481239
]
Emmanuel Lécharny commented on DIRMINA-1158:
--------------------------------------------
In the short term, no.
Those vulnerability require:
- an access to the configuration file
- the addition of a JMSAppender to this configuration file
We are currently waiting for a new version of log4j1.2 to be released, or may
be we will switch to https://reload4j.qos.ch/
> CVE-2022-23302/23305/23307 In log4j(1.x)
> ------------------------------------------
>
> Key: DIRMINA-1158
> URL: https://issues.apache.org/jira/browse/DIRMINA-1158
> Project: MINA
> Issue Type: Improvement
> Components: Core
> Affects Versions: 2.1.4, 2.1.5
> Reporter: DONG LI
> Priority: Critical
>
> Hi
> Recently,three vulnerabilities have been discovered
> :CVE-2022-23302/23305/23307 In log4j(1.x) 。
> The module “mina-core” depend on log4j 1.2.17 ,
> So do we have any plans to deal with these vulnerabilities?
> Thanks :)
> [https://www.cvedetails.com/cve/CVE-2022-23302]
> [https://nvd.nist.gov/vuln/detail/CVE-2022-23305]
> [https://nvd.nist.gov/vuln/detail/CVE-2022-23307]
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
