[
https://issues.apache.org/jira/browse/ZOOKEEPER-3990?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Damien Diederen resolved ZOOKEEPER-3990.
----------------------------------------
Assignee: Damien Diederen
Resolution: Duplicate
Thank you for the report, [~kotlasaicharanreddy]. The rationale, from
[{{owaspSuppressions.xml}}|https://github.com/apache/zookeeper/blob/5b034a4362e41a62da43979ad0fb6c97477c1624/owaspSuppressions.xml#L44-L48]
and the linked ZOOKEEPER-3677, is that we don't use that part of Log4j, and
that nobody has taken care of the switch so far. See [this
email|https://mail-archives.apache.org/mod_mbox/zookeeper-dev/202010.mbox/%3CCADKUBPi60YyZXWdKhBk-HFOAkGkyLV9MGGww2QCgr1bqfG9gWQ%40mail.gmail.com%3E]
and the rest of the thread as well as ZOOKEEPER-2342 for more context.
> Log4j 1.2.17 used by zookeeper 3.6.1 is vulnerable to CVE-2019-17571
> --------------------------------------------------------------------
>
> Key: ZOOKEEPER-3990
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3990
> Project: ZooKeeper
> Issue Type: Bug
> Affects Versions: 3.6.1, 3.6.2
> Reporter: SAICHARAN REDDY KOTLA
> Assignee: Damien Diederen
> Priority: Major
>
> Hello everyone,
> I work for a product which uses apache/zookeeper 3.6.1. We scanned our
> product with a security scanner which reported CVE-2019-17571.
> After analysis we found that this vulnerability is coming from zookeeper
> 3.6.1 because of direct dependency on log4j 1.2.17.
> Statement regarding 1.x version of log4j from [official
> |http://logging.apache.org/log4j/1.2/] site:
> {quote}A security vulnerability, CVE-2019-17571 has been identified against
> Log4j 1. Log4j includes a SocketServer that accepts serialized log events and
> deserializes them without verifying whether the objects are allowed or not.
> This can provide an attack vector that can be expoited. Since Log4j 1 is no
> longer maintained this issue will not be fixed. Users are urged to upgrade to
> Log4j 2.x
> {quote}
> Could you please share your rationale on not upgrading log4j to 2.x
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
