Fred Jones created ROCKETMQ-370:
-----------------------------------
Summary: Currently used version of logback contains a security
vulnerability
Key: ROCKETMQ-370
URL: https://issues.apache.org/jira/browse/ROCKETMQ-370
Project: Apache RocketMQ
Issue Type: Improvement
Reporter: Fred Jones
Assignee: vongosling
In our exploration of your project we found that it is currently using version
1.0.13 of logback which is vulnerable to Arbitrary Code Execution. A
configuration can be turned on to allow remote logging through interfaces that
accept untrusted serialized data. Authenticated attackers on the adjacent
network can exploit this vulnerability to run arbitrary code through the
deserialization of custom gadget chains.
Recommendation:
Upgrade the version of logback in the pom.xml to version 1.2 or higher.
For additional details on this vulnerability you can visit the following
websites:
Snyk: https://snyk.io/vuln/SNYK-JAVA-CHQOSLOGBACK-30208
Common Vulnerabilities and Exposures (CVE):
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
