Re: how to mitigate for the Log4J CVE Vulnerability scan report.

Mauricio Tavares Mon, 03 Jan 2022 03:53:04 -0800

On Mon, Jan 3, 2022 at 6:03 AM <lavanya.shanthaku...@infineon.com> wrote:
>
> Dear Team,
>
> Scanning for Log4J CVE Vulnerability found these files with severity 
> mentioned below.
> Can you guide on how to mitigate ?
>
>
>
> svn version: 1.8.19
>
> OS: Windows
>
> Severity
>
> File Found
>
> Vulnerable
>
> D:\csvn\appserver\work\jetty-0.0.0.0-3343-csvn.war-_csvn-any-\webapp\WEB-INF\lib\grails-plugin-log4j-2.4.4.jar
>
> Outdated
>
> D:\csvn\appserver\work\jetty-0.0.0.0-3343-csvn.war-_csvn-any-\webapp\WEB-INF\lib\log4j-1.2.17.jar
>
> Unknown version
>
> D:\csvn\appserver\work\jetty-0.0.0.0-3343-csvn.war-_csvn-any-\webapp\WEB-INF\lib\tomcat-embed-logging-log4j-7.0.50.jar
>
> Outdated
>
> D:\csvn\appserver\work\jetty-0.0.0.0-3343-integration.war-_integration-any-\webapp\WEB-INF\lib\log4j-1.2.13.jar
>
>
>
> Thanks & Regards,
> Lavanya.


AFAIK, subversion by itself has no java. In fact, per
https://subversion.apache.org/, "Some vendors provide Java based web
interfaces bundled with their Subversion distribution. Please check
your vendor's information to verify if you are vulnerable." Do you
know where you got your Windows binaries from? Some of them are listed
in https://subversion.apache.org/packages.html#windows

Re: how to mitigate for the Log4J CVE Vulnerability scan report.

Reply via email to