fredsjones opened a new issue #813: Currently used version of logback contains a security vulnerability URL: https://github.com/apache/incubator-skywalking/issues/813 Please answer these questions before submitting your issue. - Why do you submit this issue? - [ ] Question or discussion - [ ] Bug - [ ] Requirement - [X] Feature or performance improvement ___ ### Requirement or improvement In our exploration of your project we found that it is currently using version 1.1.7 of logback which is vulnerable to Arbitrary Code Execution. A configuration can be turned on to allow remote logging through interfaces that accept untrusted serialized data. Authenticated attackers on the adjacent network can exploit this vulnerability to run arbitrary code through the deserialization of custom gadget chains. Recommendation: Upgrade the version of logback in the incubator-skywalking/apm-application-toolkit/apm-toolkit-logback-1.x/pom.xml to version 1.2 or higher. For additional details on this vulnerability you can visit the following websites: Snyk: https://snyk.io/vuln/SNYK-JAVA-CHQOSLOGBACK-30208 Common Vulnerabilities and Exposures (CVE): https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
