[
https://issues.apache.org/jira/browse/OFBIZ-12449?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17469908#comment-17469908
]
ASF subversion and git services commented on OFBIZ-12449:
---------------------------------------------------------
Commit 00896e73bce0ab3cb9541c37a4405b23d32911c0 in ofbiz-framework's branch
refs/heads/release17.12 from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=00896e7 ]
Fixed: Announce 17.12.09 EOL (OFBIZ-12479)
Includes:
[SECURITY] CVE-2021-44228: Apache Log4j2 (OFBIZ-12449)
[SECURITY] CVE-2021-45105: Apache Log4j2 (OFBIZ-12470)
[SECURITY] Update TIka because of Apache Log4j2 vulnerability (OFBIZ-12474)
[SECURITY] CVE-2021-44832: Apache Log4j2 (OFBIZ-12475)
> [SECURITY] CVE-2021-44228: Apache Log4j2
> ----------------------------------------
>
> Key: OFBIZ-12449
> URL: https://issues.apache.org/jira/browse/OFBIZ-12449
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Blocker
> Fix For: 18.12.03
>
>
> CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker
> controlled LDAP and other JNDI related endpoints:
> https://logging.apache.org/log4j/2.x/security.html
> I'm not sure we are concerned, have no time to check, better safe than
> sorry...
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
