Dan Snoddy created TINKERPOP-2534:
-------------------------------------
Summary: Log4j flagged as critical security violation
Key: TINKERPOP-2534
URL: https://issues.apache.org/jira/browse/TINKERPOP-2534
Project: TinkerPop
Issue Type: Bug
Components: console, server
Affects Versions: 3.4.10
Reporter: Dan Snoddy
Gremlin server and console include log4j 1.2, which end-of-life'd > 5 years
ago.
Security scanning software (twistlock), flags log4j 1.2 as a critical security
violation, and hence prohibits deployment.
CRITICAL:
Attack complexity: low,Attack vector: network,Critical severity,Remote execution
CVE-2019-17571
[+https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-17571+]
{color:#000000}Included in Log4j 1.2 is a SocketServer class that is vulnerable
to deserialization of untrusted data which can be exploited to remotely execute
arbitrary code when combined with a deserialization gadget when listening to
untrusted network traffic for log data. This affects Log4j versions up to 1.2
up to 1.2.17.{color}
Is there a plan to remove log4j 1.2 so that installation of either gremlin
server or console do not include the jars that trigger this security issue?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
