[jira] [Created] (LOG4J2-2796) CVEs in the execution path imported by dependencies

Tue, 03 Mar 2020 01:08:57 -0800 

XuCongying created LOG4J2-2796:
----------------------------------

             Summary: CVEs in the execution path imported by dependencies
                 Key: LOG4J2-2796
                 URL: https://issues.apache.org/jira/browse/LOG4J2-2796
             Project: Log4j 2
          Issue Type: Dependency upgrade
            Reporter: XuCongying


Hello, Your project are using some dependencies with CVEs. I found that the 
buggy methods of the CVEs are in the program execution path of your project. To 
prevent potential security risks it may cause, I suggest to update the library 
dependency. Please look into the details below.
 * *Vulnerable Dependency:* org.slf4j : slf4j-ext : 1.7.25

 * *Call Chain to Buggy Methods:*

 ** *Some files in your project call the library method 
org.slf4j.ext.EventData.getMessage(), which can reach the buggy method of 
[CVE-2018-8088|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8088].*

 *** Files in your project:  
log4j-slf4j-impl/src/main/java/org/apache/logging/slf4j/EventDataConverter.java

 *** One of the possible call chain:
org.slf4j.ext.EventData.getMessage() [buggy method]
 ** *Some files in your project call the library method 
org.slf4j.ext.EventData.getEventMap(), which can reach the buggy method of 
[CVE-2018-8088|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8088].*

 *** Files in your project:  
log4j-slf4j-impl/src/main/java/org/apache/logging/slf4j/EventDataConverter.java

 *** One of the possible call chain:
org.slf4j.ext.EventData.getEventMap() [buggy method]
 ** *Some files in your project call the library method 
org.slf4j.ext.EventData.getEventType(), which can reach the buggy method of 
[CVE-2018-8088|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8088].*

 *** Files in your project:  
log4j-slf4j-impl/src/main/java/org/apache/logging/slf4j/EventDataConverter.java

 *** One of the possible call chain:
org.slf4j.ext.EventData.getEventType() [buggy method]
 ** *Some files in your project call the library method 
org.slf4j.ext.EventData.getEventId(), which can reach the buggy method of 
[CVE-2018-8088|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8088].*

 *** Files in your project:  
log4j-slf4j-impl/src/main/java/org/apache/logging/slf4j/EventDataConverter.java

 *** One of the possible call chain:
org.slf4j.ext.EventData.getEventId() [buggy method]
 ** *Update suggestion:* version 1.8.0-beta2 1.8.0-beta2 is a safe version 
without CVEs. From 1.7.25 to 1.8.0-beta2, the APIs used in your project have 
not changed.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to