Uploaded image for project: 'JOC - JobScheduler Operations Center'
  1. JOC - JobScheduler Operations Center
  2. JOC-930

Update use of log4j2 to 2.13.2 due to 3rd party vulnerability issue in log4j2 2.13.0 (CVE-2020-9488)

    XMLWordPrintable

Details

    • CVE-2020-9488

    Description

      Vulnerability

      • Currently JOC Cockpit and JobScheduler use log4j2 version 2.13.0.
      • A vulnerability affects this version, see https://nvd.nist.gov/vuln/detail/CVE-2020-9488
      • Severity Level: MINOR
        • There is no evident exploit with JobScheduler as the vulnerability is about use of the SMTPS protocol which does not apply to the logging behavior of JobScheduler that makes use of log files only. However, some users might have configured log4j properties for use with SMTPS.
        • We therefore consider this a minor vulnerability.

      Mitigation

      • JOC Cockpit, JobScheduler Master and Agents use log4j2.

      Attachments

        Activity

          People

            oh Oliver Haufe
            ap Andreas Püschel
            Andreas Püschel Andreas Püschel
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: