Fred Jones created ROCKETMQ-370:
Summary: Currently used version of logback contains a security
Project: Apache RocketMQ
Issue Type: Improvement
Reporter: Fred Jones
In our exploration of your project we found that it is currently using version
1.0.13 of logback which is vulnerable to Arbitrary Code Execution. A
configuration can be turned on to allow remote logging through interfaces that
accept untrusted serialized data. Authenticated attackers on the adjacent
network can exploit this vulnerability to run arbitrary code through the
deserialization of custom gadget chains.
Upgrade the version of logback in the pom.xml to version 1.2 or higher.
For additional details on this vulnerability you can visit the following
Common Vulnerabilities and Exposures (CVE):
This message was sent by Atlassian JIRA