Uploaded image for project: 'JS - JobScheduler'
  1. JS - JobScheduler
  2. JS-1869

Update use of log4j to log4j2 due to 3rd party vulnerability issue in log4j (CVE-2019-17571)

    XMLWordPrintable

Details

    • Fix
    • Status: Released (View Workflow)
    • Major
    • Resolution: Fixed
    • 1.12.11, 1.13.2
    • 1.12.12, 1.13.3
    • None
    • None
    • CVE-2019-17571

    Description

      Vulnerability

      • Currently JOC Cockpit and JobScheduler use log4j version 1.2.16.
      • A vulnerability affects this version, see https://nvd.nist.gov/vuln/detail/CVE-2019-17571
      • Severity Level: MINOR
        • There is no evident exploit with JobScheduler as the vulnerability is about use of a log server connected by TCP which does not apply to the logging behavior of JobScheduler that makes use of log files only. However, some users might have configured log4j properties for use with a log server.
        • We therefore consider this a minor vulnerability.

      Mitigation

      • JOC Cockpit, JobScheduler Master and Agents use log4j2 instead of log4j.

      Attachments

        Activity

          People

            sp Santiago Aucejo Petzoldt
            sp Santiago Aucejo Petzoldt
            Anuj Mandloi Anuj Mandloi (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: