[ https://issues.apache.org/jira/browse/ROCKETMQ-370?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16370796#comment-16370796 ]
ASF GitHub Bot commented on ROCKETMQ-370: ----------------------------------------- fredsjones opened a new pull request #228: [ROCKETMQ-370] Upgrade logback to version 1.2.3 URL: https://github.com/apache/rocketmq/pull/228 ## What is the purpose of the change Upgrade the version of logback-classic and logback-core ## Brief changelog logback in the pom.xml has been updated to 1.2.3 ## Verifying this change Follow this checklist to help us incorporate your contribution quickly and easily: - [x] Make sure there is a [JIRA issue](https://issues.apache.org/jira/projects/ROCKETMQ/issues/) filed for the change (usually before you start working on it). Trivial changes like typos do not require a JIRA issue. Your pull request should address just this issue, without pulling in other changes - one PR resolves one issue. - [x] Format the pull request title like `[ROCKETMQ-XXX] Fix UnknownException when host config not exist`. Each commit in the pull request should have a meaningful subject line and body. - [x] Write a pull request description that is detailed enough to understand what the pull request does, how, and why. - [ ] Write necessary unit-test to verify your logic correction, more mock a little better when cross module dependency exist. If the new feature or significant change is committed, please remember to add integration-test in [test module](https://github.com/apache/rocketmq/tree/master/test). - [x] Run `mvn -B clean apache-rat:check findbugs:findbugs checkstyle:checkstyle` to make sure basic checks pass. Run `mvn clean install -DskipITs` to make sure unit-test pass. Run `mvn clean test-compile failsafe:integration-test` to make sure integration-test pass. - [ ] If this contribution is large, please file an [Apache Individual Contributor License Agreement](http://www.apache.org/licenses/#clas). ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Currently used version of logback contains a security vulnerability > ------------------------------------------------------------------- > > Key: ROCKETMQ-370 > URL: https://issues.apache.org/jira/browse/ROCKETMQ-370 > Project: Apache RocketMQ > Issue Type: Improvement > Reporter: Fred Jones > Assignee: vongosling > Priority: Minor > > In our exploration of your project we found that it is currently using > version 1.0.13 of logback which is vulnerable to Arbitrary Code Execution. A > configuration can be turned on to allow remote logging through interfaces > that accept untrusted serialized data. Authenticated attackers on the > adjacent network can exploit this vulnerability to run arbitrary code through > the deserialization of custom gadget chains. > > Recommendation: > Upgrade the version of logback in the pom.xml to version 1.2 or higher. > > For additional details on this vulnerability you can visit the following > websites: > Snyk: https://snyk.io/vuln/SNYK-JAVA-CHQOSLOGBACK-30208 > Common Vulnerabilities and Exposures (CVE): > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929 -- This message was sent by Atlassian JIRA (v7.6.3#76005)