Migrate to log4j 2.17.1 or newer
LukaszKontowski opened this issue · comments
LukaszKontowski commented
Current version of log4j
- 1.2.17 - has lots of vulnerabilities. Also, Log4j 1 reached End-Of-Life on August 2015. Migrating to some safe log4j
2.x version would be beneficial for the project and for scalaxb
users.
Migrate to log4j
2.17.1 or newer.
Example vulnerability findings for 1.2.17:
✗ Man-in-the-Middle (MitM) [Low Severity][https://security.snyk.io/vuln/SNYK-JAVA-LOG4J-1300176] in log4j:log4j@1.2.17
introduced by com.my-company:my-project_2.13@0.1.0 > org.scalaxb:scalaxb_2.13@1.9.0 > log4j:log4j@1.2.17
No upgrade or patch available
✗ Arbitrary Code Execution [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-LOG4J-2316893] in log4j:log4j@1.2.17
introduced by com.my-company:my-project_2.13@0.1.0 > org.scalaxb:scalaxb_2.13@1.9.0 > log4j:log4j@1.2.17
No upgrade or patch available
✗ SQL Injection [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-LOG4J-2342645] in log4j:log4j@1.2.17
introduced by com.my-company:my-project_2.13@0.1.0 > org.scalaxb:scalaxb_2.13@1.9.0 > log4j:log4j@1.2.17
No upgrade or patch available
✗ Deserialization of Untrusted Data [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-LOG4J-2342646] in log4j:log4j@1.2.17
introduced by com.my-company:my-project_2.13@0.1.0 > org.scalaxb:scalaxb_2.13@1.9.0 > log4j:log4j@1.2.17
No upgrade or patch available
✗ Deserialization of Untrusted Data [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-LOG4J-2342647] in log4j:log4j@1.2.17
introduced by com.my-company:my-project_2.13@0.1.0 > org.scalaxb:scalaxb_2.13@1.9.0 > log4j:log4j@1.2.17
No upgrade or patch available
✗ Denial of Service (DoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-LOG4J-3358774] in log4j:log4j@1.2.17
introduced by com.my-company:my-project_2.13@0.1.0 > org.scalaxb:scalaxb_2.13@1.9.0 > log4j:log4j@1.2.17
No upgrade or patch available
✗ Deserialization of Untrusted Data [Critical Severity][https://security.snyk.io/vuln/SNYK-JAVA-LOG4J-572732] in log4j:log4j@1.2.17
introduced by com.my-company:my-project_2.13@0.1.0 > org.scalaxb:scalaxb_2.13@1.9.0 > log4j:log4j@1.2.17
No upgrade or patch available