[
https://issues.apache.org/jira/browse/TINKERPOP-2534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17367198#comment-17367198
]
ASF GitHub Bot commented on TINKERPOP-2534:
-------------------------------------------
spmallette merged pull request #1444:
URL: https://github.com/apache/tinkerpop/pull/1444
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
> Log4j flagged as critical security violation
> --------------------------------------------
>
> Key: TINKERPOP-2534
> URL: https://issues.apache.org/jira/browse/TINKERPOP-2534
> Project: TinkerPop
> Issue Type: Improvement
> Components: console, server
> Affects Versions: 3.4.10
> Reporter: Dan Snoddy
> Priority: Major
>
> Gremlin server and console include log4j 1.2, which end-of-life'd > 5 years
> ago.
> Security scanning software (twistlock), flags log4j 1.2 as a critical
> security violation, and hence prohibits deployment.
> CRITICAL:
> Attack complexity: low,Attack vector: network,Critical severity,Remote
> execution
> CVE-2019-17571
> [+https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-17571+]
> {color:#000000}Included in Log4j 1.2 is a SocketServer class that is
> vulnerable to deserialization of untrusted data which can be exploited to
> remotely execute arbitrary code when combined with a deserialization gadget
> when listening to untrusted network traffic for log data. This affects Log4j
> versions up to 1.2 up to 1.2.17.{color}
>
> Is there a plan to remove log4j 1.2 so that installation of either gremlin
> server or console do not include the jars that trigger this security issue?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
