Alex Rudyy created QPIDJMS-503:
----------------------------------
Summary: Upgrade log4j dependecy to log4j2
Key: QPIDJMS-503
URL: https://issues.apache.org/jira/browse/QPIDJMS-503
Project: Qpid JMS
Issue Type: Task
Components: qpid-jms-client
Reporter: Alex Rudyy
The log4j 1.x reached EOL on August 5, 2015 as per
[http://logging.apache.org/log4j/1.2/]. The client is distributes with an
optional dependency log4j 1.2.17. There is
[CVE-2019-17571|https://nvd.nist.gov/vuln/detail/CVE-2019-17571] raised against
this version for class SocketServer that is vulnerable to deserialization of
untrusted data. Though, no log4j configuration in the Qpid JMS client uses
SocketServer, the open source scanning tools flag the JMS client bundle as
being impacted by CVE-2019-17571.
In order to silence such open source scanning tools the log4j dependencies can
be upgraded to log4j2.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
