Update log4j 1 to log4j 2

Question

Update log4j 1 to log4j 2

r-brown opened this issue 5 years ago · 0 comments

Security Alert:
https://github.com/Labs64/NetLicensingClient-java/network/alert/pom.xml/log4j:log4j/open

CVE-2019-17571
moderate severity
Vulnerable versions: >= 1.2, <= 1.2.27
Patched version: No fix

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

log4j migration
https://logging.apache.org/log4j/2.x/manual/migration.html