logback serialization vulnerability

Question

logback serialization vulnerability

xyq175com opened this issue 2 years ago · 1 comments

Upgrade ch.qos.logback:logback-classic to fix 2 Dependabot alerts in logback-legacy-tests/pom.xml
Upgrade ch.qos.logback:logback-classic to version 1.2.13 or later. For example:


<dependency>
  <groupId>ch.qos.logback</groupId>
  <artifactId>logback-classic</artifactId>
  <version>[1.2.13,)</version>
</dependency>

A serialization vulnerability in logback receiver component part of logback allows an attacker to mount a Denial-Of-Service attack by sending poisoned data.

This is only exploitable if logback receiver component is deployed. See https://logback.qos.ch/manual/receivers.html

Answer 1 · 2024-03-04T12:49:56.000Z

Thanks, per the name logback-legacy-tests this module only has test code (only src/test/java/... exists in that module) for legacy logback versions, and is never deployed other than to CI to run tests. The actual logback dependency in logback-ecs-encoder/pom.xml is already on 1.2.13