I  have made a quick and dirty POC for this issue.
This results in a remote code execution in the JVM that exposes a ServerSocketReceiver.

Unfortunately, logback 1:1.1.9-2 is still vulnerable, not 1.2.x.

The POC is available on demand.

Fabrice Dagorn

This is the maintainer address of Debian's Java team
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to