[jira] [Commented] (LOG4J2-3409) workaround for jackson-mapper-asl-1.9.13.jar security vulnerability @ flume-ng

Mon, 21 Feb 2022 01:24:05 -0800 


    [ 
https://issues.apache.org/jira/browse/LOG4J2-3409?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17495413#comment-17495413
 ] 

alexander kravchik commented on LOG4J2-3409:
--------------------------------------------

Hi Matt & Ralph,

I opened the issue on log4j as the dependency of jackson-mapper-asl as I saw it 
here [ASF Git Repos - logging-log4j2.git/blob - log4j-flume-ng/pom.xml 
(apache.org)|https://gitbox.apache.org/repos/asf?p=logging-log4j2.git;a=blob;f=log4j-flume-ng/pom.xml;h=eb18d9d98dd610cecbb1b1c14126e3d4b11c41c0;hb=11dafda0c43eb31cca67f3b0ed0ca9b81780db76#l89]

According to the maven repository:
 * jackson-mapper-asl [Maven Repository: org.codehaus.jackson » 
jackson-mapper-asl 
(mvnrepository.com)|https://mvnrepository.com/artifact/org.codehaus.jackson/jackson-mapper-asl]
 was replaced with [Maven Repository: com.fasterxml.jackson.core » 
jackson-databind 
(mvnrepository.com)|https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind]
 * jackson-core-asl [ASF Git Repos - logging-log4j2.git/blob - 
log4j-flume-ng/pom.xml 
(apache.org)|https://gitbox.apache.org/repos/asf?p=logging-log4j2.git;a=blob;f=log4j-flume-ng/pom.xml;h=eb18d9d98dd610cecbb1b1c14126e3d4b11c41c0;hb=11dafda0c43eb31cca67f3b0ed0ca9b81780db76#l85]
 was replaced with [Maven Repository: com.fasterxml.jackson.core » jackson-core 
(mvnrepository.com)|https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-core]

 

I also opened the issue on Flume [FLUME-3407] workaround for 
jackson-mapper-asl-1.9.13.jar @ flume-ng - ASF JIRA (apache.org), it seems it 
has more vulnerabilities.

Can you recheck from your end again as I do not think flume can fix this, the 
next version of flume will not need this jackson dependency - but the 
dependency is still on your end according to the pom

Kind Regards

Sasha

> workaround for jackson-mapper-asl-1.9.13.jar security vulnerability @ flume-ng
> ------------------------------------------------------------------------------
>
>                 Key: LOG4J2-3409
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-3409
>             Project: Log4j 2
>          Issue Type: Bug
>          Components: Flume Appender
>    Affects Versions: 2.17.1
>         Environment: java 11
>            Reporter: alexander kravchik
>            Priority: Major
>
> Dear colleagues, 
> we are using log4j2 with flume-ng appender. 
> The below vulnerabilities are found in the dependent 
> jackson-mapper-asl-1.9.13.jar :
> cve-2019-10202
> cve-2019-10172
> etc...
> Please advise if this will be fixed and planned ETA in case it is already 
> fixed
> Thanks , 
> Sasha



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to