Uploaded image for project: 'JOC - JobScheduler Operations Center'
  1. JOC - JobScheduler Operations Center
  2. JOC-930

Update use of log4j2 to 2.13.2 due to 3rd party vulnerability issue in log4j2 2.13.0 (CVE-2020-9488)

    XMLWordPrintable

    Details

    • CVE-ID:
      CVE-2020-9488

      Description

      Vulnerability

      • Currently JOC Cockpit and JobScheduler use log4j2 version 2.13.0.
      • A vulnerability affects this version, see https://nvd.nist.gov/vuln/detail/CVE-2020-9488
      • Severity Level: MINOR
        • There is no evident exploit with JobScheduler as the vulnerability is about use of the SMTPS protocol which does not apply to the logging behavior of JobScheduler that makes use of log files only. However, some users might have configured log4j properties for use with SMTPS.
        • We therefore consider this a minor vulnerability.

      Mitigation

      • JOC Cockpit, JobScheduler Master and Agents use log4j2.

        Attachments

          Activity

            People

            • Assignee:
              oh Oliver Haufe
              Reporter:
              ap Andreas Püschel
              Approver:
              Andreas Püschel
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: