[
https://issues.apache.org/jira/browse/JCLOUDS-1589?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458828#comment-17458828
]
Andrew Gaul edited comment on JCLOUDS-1589 at 12/16/21, 12:20 AM:
------------------------------------------------------------------
But jclouds-log4j currently depends on log4j 1.2.17 which suffers from a
_different_ CVE:
[https://www.cvedetails.com/cve/CVE-2019-17571/]
I'm not too familiar with this driver and my first thought is to remove it as
unmaintained since upgrading requires source code changes. But some tests rely
on log4j e.g., atmos, b2, s3, so we need to migrate those first.
was (Author: gaul):
But jclouds-log4j currently depends on log4j 1.2.17 which suffers from a
_different_ CVE:
[https://www.cvedetails.com/cve/CVE-2019-17571/]
I'm not too familiar with this driver and my first thought is to remove it as
unmaintained since upgrading requires source code changes. But some tests rely
on log4j e.g., atmos, b2, s3, so we need to migrate those first.
> Upgrade to Log4j 2.15.0
> -----------------------
>
> Key: JCLOUDS-1589
> URL: https://issues.apache.org/jira/browse/JCLOUDS-1589
> Project: jclouds
> Issue Type: Improvement
> Components: jclouds-drivers
> Affects Versions: 2.4.0
> Reporter: Andrew Gaul
> Priority: Major
> Labels: dependency, log4j
>
> 2.15.0 fixes a critical CVE:
>
> https://logging.apache.org/log4j/2.x/security.html
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
