[
https://issues.apache.org/jira/browse/OFBIZ-12470?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17462057#comment-17462057
]
ASF subversion and git services commented on OFBIZ-12470:
---------------------------------------------------------
Commit 78ce0e3fc74e0c2b92077111b756550b692d1576 in ofbiz-framework's branch
refs/heads/trunk from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=78ce0e3 ]
Fixed: [SECURITY] CVE-2021-45105: Apache Log4j2 (OFBIZ-12470)
CVE-2021-45105: Apache Log4j2 versions 2.0-alpha1 through 2.16.0 does not
protect
from uncontrolled recursion from self-referential lookups. This allows an
attacker with control over Thread Context Map data to cause a denial of service
when a crafted string is interpreted.
This issue is fixed in Log4j 2.17.0.:
https://logging.apache.org/log4j/2.x/security.html
> [SECURITY] CVE-2021-45105: Apache Log4j2
> ----------------------------------------
>
> Key: OFBIZ-12470
> URL: https://issues.apache.org/jira/browse/OFBIZ-12470
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
> Affects Versions: 18.12.04
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Blocker
>
> CVE-2021-45105: Apache Log4j2 versions 2.0-alpha1 through 2.16.0 does not
> protect from uncontrolled recursion from self-referential lookups. This
> allows an attacker with control over Thread Context Map data to cause a
> denial of service when a crafted string is interpreted. This issue is fixed
> in Log4j 2.17.0.: https://logging.apache.org/log4j/2.x/security.html
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
