Fred Jones created ROCKETMQ-370:

             Summary: Currently used version of logback contains a security 
                 Key: ROCKETMQ-370
             Project: Apache RocketMQ
          Issue Type: Improvement
            Reporter: Fred Jones
            Assignee: vongosling

In our exploration of your project we found that it is currently using version 
1.0.13 of logback which is vulnerable to Arbitrary Code Execution.  A 
configuration can be turned on to allow remote logging through interfaces that 
accept untrusted serialized data. Authenticated attackers on the adjacent 
network can exploit this vulnerability to run arbitrary code through the 
deserialization of custom gadget chains.



    Upgrade the version of logback in the pom.xml to version 1.2 or higher.


For additional details on this vulnerability you can visit the following 


Common Vulnerabilities and Exposures (CVE):

This message was sent by Atlassian JIRA

Reply via email to