[
https://issues.apache.org/jira/browse/MNG-7382?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17470735#comment-17470735
]
Michael Osipov commented on MNG-7382:
-------------------------------------
[~Ronald Ayoub], you just made my day. I can't stop laughing. AWESEOME!
> log4j remote security execution implicated in maven-compiler-plugin
> -------------------------------------------------------------------
>
> Key: MNG-7382
> URL: https://issues.apache.org/jira/browse/MNG-7382
> Project: Maven
> Issue Type: Bug
> Components: Dependencies
> Affects Versions: 3.8.4
> Environment: Windows 10. But I know how to make it work like Linux.
> Reporter: Ronald Ayoub
> Assignee: Sylwester Lachiewicz
> Priority: Critical
> Labels: security, vulnerability
> Attachments: Capture.PNG
>
>
> I use maven to build a java war to a tomcat webapps directory. During this
> process, I've issued that I am not using log4j anywhere. Nevertheless, every
> time I build log4j appears in the .m2 directory. I walked dependencies trees
> and executed finds in a variety of directories and can't find the dependency.
> However, when I executed maven with verbose mode I found it. Apparently, the
> maven-compiler-plugin requires a old and vulnerable version of log4j. Worse
> yet, I believe Tomcat is using it dynamically without configuration by it's
> mere presence in the .m2 directory. Hence, a security scanner flagged my
> website as having the log4j vulnerability.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
