Fred Jones created ROCKETMQ-370: ----------------------------------- Summary: Currently used version of logback contains a security vulnerability Key: ROCKETMQ-370 URL: https://issues.apache.org/jira/browse/ROCKETMQ-370 Project: Apache RocketMQ Issue Type: Improvement Reporter: Fred Jones Assignee: vongosling
In our exploration of your project we found that it is currently using version 1.0.13 of logback which is vulnerable to Arbitrary Code Execution. A configuration can be turned on to allow remote logging through interfaces that accept untrusted serialized data. Authenticated attackers on the adjacent network can exploit this vulnerability to run arbitrary code through the deserialization of custom gadget chains. Recommendation: Upgrade the version of logback in the pom.xml to version 1.2 or higher. For additional details on this vulnerability you can visit the following websites: Snyk: https://snyk.io/vuln/SNYK-JAVA-CHQOSLOGBACK-30208 Common Vulnerabilities and Exposures (CVE): https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929 -- This message was sent by Atlassian JIRA (v7.6.3#76005)