Uploaded image for project: 'JS - JobScheduler'
  1. JS - JobScheduler
  2. JS-1869

Update use of log4j to log4j2 due to 3rd party vulnerability issue in log4j (CVE-2019-17571)

    XMLWordPrintable

    Details

    • Type: Fix
    • Status: Released (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.12.11, 1.13.2
    • Fix Version/s: 1.12.12, 1.13.3
    • Component/s: None
    • Labels:
      None
    • CVE-ID:
      CVE-2019-17571

      Description

      Vulnerability

      • Currently JOC Cockpit and JobScheduler use log4j version 1.2.16.
      • A vulnerability affects this version, see https://nvd.nist.gov/vuln/detail/CVE-2019-17571
      • Severity Level: MINOR
        • There is no evident exploit with JobScheduler as the vulnerability is about use of a log server connected by TCP which does not apply to the logging behavior of JobScheduler that makes use of log files only. However, some users might have configured log4j properties for use with a log server.
        • We therefore consider this a minor vulnerability.

      Mitigation

      • JOC Cockpit, JobScheduler Master and Agents use log4j2 instead of log4j.

        Attachments

          Activity

            People

            • Assignee:
              sp Santiago Aucejo Petzoldt
              Reporter:
              sp Santiago Aucejo Petzoldt
              Approver:
              Anuj Mandloi
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: