Ronald Ayoub created MNG-7382:
---------------------------------
Summary: log4j remote security execution implicated in
maven-compiler-plugin
Key: MNG-7382
URL: https://issues.apache.org/jira/browse/MNG-7382
Project: Maven
Issue Type: Bug
Components: Dependencies
Affects Versions: 3.8.4
Environment: Windows 10. But I know how to make it work like Linux.
Reporter: Ronald Ayoub
Attachments: Capture.PNG
I use maven to build a java war to a tomcat webapps directory. During this
process, I've issued that I am not using log4j anywhere. Nevertheless, every
time I build log4j appears in the .m2 directory. I walked dependencies trees
and executed finds in a variety of directories and can't find the dependency.
However, when I executed maven with verbose mode I found it. Apparently, the
maven-compiler-plugin requires a old and vulnerable version of log4j. Worse
yet, I believe Tomcat is using it dynamically without configuration by it's
mere presence in the .m2 directory. Hence, a security scanner flagged my
website as having the log4j vulnerability.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
