[slf4j-dev] [JIRA] (SLF4J-486) deserialization of untrusted data risk on slf4j-log4j12

QOS.CH (JIRA) Mon, 02 Mar 2020 08:35:29 -0800

Juan Diego Morera created SLF4J-486:
---------------------------------------


             Summary: deserialization of untrusted data risk on slf4j-log4j12
                 Key: SLF4J-486
                 URL: https://jira.qos.ch/browse/SLF4J-486
             Project: SLF4J
          Issue Type: Bug
    Affects Versions: 2.0.0-alpha1
            Reporter: Juan Diego Morera
            Assignee: SLF4J developers list


Hello, looks like latest version for slf4j-log4j12 (2.0.0-alpha1) has a 
dependency for log4j-1.2.17.jar and it will have the issue of deserialization 
of untrusted data which can be exploited to remotely execute arbitrary code 
when combined with a deserialization gadget when listening to untrusted network 
traffic for log data. 

 

Related documentation: [https://nvd.nist.gov/vuln/detail/CVE-2019-17571]

 

Please let me know if you have already this on you radar

 

Regards .



--
This message was sent by Atlassian JIRA
(v7.3.1#73012)
_______________________________________________
slf4j-dev mailing list
slf4j-dev@qos.ch
http://mailman.qos.ch/mailman/listinfo/slf4j-dev

[slf4j-dev] [JIRA] (SLF4J-486) deserialization of untrusted data risk on slf4j-log4j12

Reply via email to