[prev in list] [next in list] [prev in thread] [next in thread]
List: mina-dev
Subject: [jira] [Commented] (SSHD-1248) Log4J2 Security Vulneralibility ( CVE-2021-44832 )
From: "Thomas Wolf (Jira)" <jira () apache ! org>
Date: 2022-02-28 7:49:00
Message-ID: JIRA.13430073.1645588792000.362127.1646034540045 () Atlassian ! JIRA
[Download RAW message or body]
[ https://issues.apache.org/jira/browse/SSHD-1248?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17498746#comment-17498746 \
]
Thomas Wolf commented on SSHD-1248:
-----------------------------------
[~pnugraha], somehow your comment about that effective-pom.xml is not visible as a \
comment; it's shown only if "All" is selected in Jira.
However, look at that effective POM:
{code:xml}
<project xmlns="http://maven.apache.org/POM/4.0.0" \
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" \
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 \
https://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.5.5</version>
<relativePath />
</parent>
<groupId>com.example</groupId>
<artifactId>ssh-server</artifactId>
<version>0.0.1</version>
<name>ssh-server</name>
<description>Sample Spring for Custom POD</description>
<url>https://spring.io/projects/spring-boot/ssh-server</url>
<licenses>
<license>
<name>Apache License, Version 2.0</name>
<url>https://www.apache.org/licenses/LICENSE-2.0</url>
</license>
</licenses>
<developers>
<developer>
<name>Pivotal</name>
<email>info@pivotal.io</email>
<organization>Pivotal Software, Inc.</organization>
<organizationUrl>https://www.spring.io</organizationUrl>
</developer>
</developers>
<scm>
<url>https://github.com/spring-projects/spring-boot/ssh-server</url>
</scm>
...
{code}
This is *not* the POM of Apache MINA sshd. This is something else that uses Apache \
MINA sshd. It also is apparently an example only. The SCM URL given doesn't work.
> Log4J2 Security Vulneralibility ( CVE-2021-44832 )
> --------------------------------------------------
>
> Key: SSHD-1248
> URL: https://issues.apache.org/jira/browse/SSHD-1248
> Project: MINA SSHD
> Issue Type: Question
> Affects Versions: 2.8.0
> Reporter: Putra Nugraha
> Priority: Major
> Attachments: effective-pom.xml, image-2022-02-28-15-06-13-418.png
>
>
> Upon checking a possible security vulnerabilities, I noticed MINA SSHD is using \
> Log4J2 version 2.14.1 and Log4J2 made some fixes in the later version ( 2.17.1 for \
> Java 8 ) which one if it is related to security vulnerabilities to RCE.
> May I know if there is any plan on MINA SSHD to adapt the above fix? Or can we \
> please have this fixed if not planned?
> Further details on the above Log4J security vulnerabilities can be found here
> https://logging.apache.org/log4j/2.x/security.html
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@mina.apache.org
For additional commands, e-mail: dev-help@mina.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic