fredsjones opened a new issue #813: Currently used version of logback contains 
a security vulnerability
   Please answer these questions before submitting your issue.
   - Why do you submit this issue?
   - [ ] Question or discussion
   - [ ] Bug
   - [ ] Requirement
   - [X] Feature or performance improvement
   ### Requirement or improvement
   In our exploration of your project we found that it is currently using 
version 1.1.7 of logback which is vulnerable to Arbitrary Code Execution.  A 
configuration can be turned on to allow remote logging through interfaces that 
accept untrusted serialized data. Authenticated attackers on the adjacent 
network can exploit this vulnerability to run arbitrary code through the 
deserialization of custom gadget chains.
       Upgrade the version of logback in the 
incubator-skywalking/apm-application-toolkit/apm-toolkit-logback-1.x/pom.xml to 
version 1.2 or higher.
   For additional details on this vulnerability you can visit the following 
   Common Vulnerabilities and Exposures (CVE):

This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:

With regards,
Apache Git Services

Reply via email to