'[jira] [Commented] (SSHD-1248) Log4J2 Security Vulneralibility ( CVE-2021-44832 )'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       mina-dev
Subject:    [jira] [Commented] (SSHD-1248) Log4J2 Security Vulneralibility ( CVE-2021-44832 )
From:       "Thomas Wolf (Jira)" <jira () apache ! org>
Date:       2022-02-28 7:49:00
Message-ID: JIRA.13430073.1645588792000.362127.1646034540045 () Atlassian ! JIRA
[Download RAW message or body]


    [ https://issues.apache.org/jira/browse/SSHD-1248?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17498746#comment-17498746 \
] 

Thomas Wolf commented on SSHD-1248:
-----------------------------------

[~pnugraha], somehow your comment about that effective-pom.xml is not visible as a \
comment; it's shown only if "All" is selected in Jira.

However, look at that effective POM:
{code:xml}
<project xmlns="http://maven.apache.org/POM/4.0.0" \
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" \
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 \
https://maven.apache.org/xsd/maven-4.0.0.xsd">  <modelVersion>4.0.0</modelVersion>
  <parent>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-parent</artifactId>
    <version>2.5.5</version>
    <relativePath />
  </parent>
  <groupId>com.example</groupId>
  <artifactId>ssh-server</artifactId>
  <version>0.0.1</version>
  <name>ssh-server</name>
  <description>Sample Spring for Custom POD</description>
  <url>https://spring.io/projects/spring-boot/ssh-server</url>
  <licenses>
    <license>
      <name>Apache License, Version 2.0</name>
      <url>https://www.apache.org/licenses/LICENSE-2.0</url>
    </license>
  </licenses>
  <developers>
    <developer>
      <name>Pivotal</name>
      <email>info@pivotal.io</email>
      <organization>Pivotal Software, Inc.</organization>
      <organizationUrl>https://www.spring.io</organizationUrl>
    </developer>
  </developers>
  <scm>
    <url>https://github.com/spring-projects/spring-boot/ssh-server</url>
  </scm>
  ...
{code}

This is *not* the POM of Apache MINA sshd. This is something else that uses Apache \
MINA sshd. It also is apparently an example only. The SCM URL given doesn't work.

> Log4J2 Security Vulneralibility ( CVE-2021-44832 )
> --------------------------------------------------
> 
> Key: SSHD-1248
> URL: https://issues.apache.org/jira/browse/SSHD-1248
> Project: MINA SSHD
> Issue Type: Question
> Affects Versions: 2.8.0
> Reporter: Putra Nugraha
> Priority: Major
> Attachments: effective-pom.xml, image-2022-02-28-15-06-13-418.png
> 
> 
> Upon checking a possible security vulnerabilities, I noticed MINA SSHD is using \
> Log4J2 version 2.14.1 and Log4J2 made some fixes in the later version ( 2.17.1 for \
> Java 8 ) which one if it is related to security vulnerabilities to RCE. 
> May I know if there is any plan on MINA SSHD to adapt the above fix? Or can we \
> please have this fixed if not planned? 
> Further details on the above Log4J security vulnerabilities can be found here
> https://logging.apache.org/log4j/2.x/security.html



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@mina.apache.org
For additional commands, e-mail: dev-help@mina.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic