Log4j vulnerability - CVE-2019-17571

Description

We are using it in:
xap-tools/xap-alert-integration/pom.xml
insightedge-extensions/insightedge-jdbc/pom.xml
xap-premium/petclinic-jpa/pom.xml

The vulnerability:
Included in Log4j 1.2 is a SocketServer class that is vulnerable to
deserialization of untrusted data which can be exploited to
remotely execute arbitrary code when combined with
a deserialization gadget when listening to untrusted network
traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

The mitigation:
23/3/20 - No fix

Workaround

None

Acceptance Test

None

Assignee

Unassigned

Reporter

Yuval Dori

Labels

None

Priority

Medium

SalesForce Case ID

None

Fix versions

None

Commitment Version/s

None

Due date

None

Product

None

Edition

Open Source

Platform

All
Configure