Joel Cain created BEAM-12679:
--------------------------------
Summary: Critical issues are being pulled in by 2 of Beams
dependencies
Key: BEAM-12679
URL: https://issues.apache.org/jira/browse/BEAM-12679
Project: Beam
Issue Type: Bug
Components: dependencies
Reporter: Joel Cain
Vulnerabilities:
1. org.apache.logging.log4j_log4j-api version 2.6.2 has 2 vulnerabilities (1
critical)
Main issue description: In Apache Log4j 2.x before 2.8.2, when using the TCP
socket server or UDP socket server to receive serialized log events from
another application, a specially crafted binary payload can be sent that, when
deserialized, can execute arbitrary code.
This issue is fixed in version 2.8.2
2. com.fasterxml.jackson.core_jackson-databind version 2.9.8 has 49
vulnerabilities (14 critical)
Example issue description: A flaw was discovered in FasterXML jackson-databind
in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic
deserialization of malicious objects using the xalan JNDI gadget when used in
conjunction with polymorphic type handling methods such as
`enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or
`Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might
instantiate objects from unsafe sources. An attacker could use this flaw to
execute arbitrary code.
All issues resolved in versions after 2.9.10.4
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
