Details
-
Fix
-
Status: Released (View Workflow)
-
Major
-
Resolution: Fixed
-
1.12.11, 1.13.2
-
None
-
None
-
CVE-2019-17571
Description
Vulnerability
- Currently JOC Cockpit and JobScheduler use log4j version 1.2.16.
- A vulnerability affects this version, see https://nvd.nist.gov/vuln/detail/CVE-2019-17571
- Severity Level: MINOR
- There is no evident exploit with JobScheduler as the vulnerability is about use of a log server connected by TCP which does not apply to the logging behavior of JobScheduler that makes use of log files only. However, some users might have configured log4j properties for use with a log server.
- We therefore consider this a minor vulnerability.
Mitigation
- JOC Cockpit, JobScheduler Master and Agents use log4j2 instead of log4j.