[NXP-29272] Upgrade log4j and slf4j libraries - Nuxeo Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.10
Fix Version/s: 10.10-HF29, 11.2, 2021.0
Component/s: Distribution / Installers

Tags:
- SupCom
- noRNS
- nxsupport
Backlog priority:
900
Sprint:
nxsupport 11.1.7
Story Points:
1

Description

These libs have known security vulnerabilties:

Improper validation of certificate with host mismatch in Log4j2 SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.

Solution : Update Apache Log4j to version 2.13.2 or later.

SLF4J through version 1.7.25 is vulnerable to an XML deserialisation vulnerability in the EventData constructor. This may allow a context-dependent attacker to execute arbitrary code.

Solution : Update SLF4J to version 1.7.26 or later.

Attachments

Issue Links

Is referenced in

PR for 10.10: #4160

PR for master: #4172

PR for master: #4294

PR for master: #4597

Activity

People

Assignee:

Thierry Martins

Reporter:

Thierry Martins

Participants:

Jenkins, Support Tech User, Thierry Martins

Votes:

0 Vote for this issue

Watchers:

4 Start watching this issue

Dates

Created:

2020-06-17 15:09

Updated:

2021-01-19 16:57

Resolved:

2020-06-22 15:42

Time Tracking

Estimated:

Not Specified

Remaining:

0m

Logged:

15m