[MNG-7382] log4j remote security execution implicated in maven-compiler-plugin - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 3.8.4
Fix Version/s: None
Component/s: Dependencies
Labels:
- security
- vulnerability
Environment:
Windows 10. But I know how to make it work like Linux.

Flags:

Important
External issue URL:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-44228#:~:text=Certain%20versions%20of%20Apache%20Log4j2,message%20lookup%20substitution%20is%20enabled.

Description

I use maven to build a java war to a tomcat webapps directory. During this process, I've issued that I am not using log4j anywhere. Nevertheless, every time I build log4j appears in the .m2 directory. I walked dependencies trees and executed finds in a variety of directories and can't find the dependency. However, when I executed maven with verbose mode I found it. Apparently, the maven-compiler-plugin requires a old and vulnerable version of log4j. Worse yet, I believe Tomcat is using it dynamically without configuration by it's mere presence in the .m2 directory. Hence, a security scanner flagged my website as having the log4j vulnerability.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

Capture.PNG
07/Jan/22 00:07
49 kB
Ronald Ayoub

Activity

People

Assignee:: Sylwester Lachiewicz

Reporter:: Ronald Ayoub

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 07/Jan/22 00:08

Updated:: 07/Jan/22 16:27

Resolved:: 07/Jan/22 15:48