Comments (6)
ForNeVeR
commented on June 9, 2024
There are two new critical severity CVEs that affect this old version of the library CVE-2021-44228 and CVE-2021-45046.
Are you sure about that? The CVEs themselves only mention log4j 2.
from team-explorer-everywhere.
dude0001
commented on June 9, 2024
I am not a security expert, so this is not advice. However, I looked again and I think you may be correct on CVE-2021-44228. It looks like it only affects v2 of the library and I misunderstood. I mentioned CVE-2021-45046 only to point out there is already another CVE in the first attempt to fix these issues and the very latest version is needed to fix all know in issues currently. Thank you for asking for clarification, I don't want to spread misinformation as this is already a difficult situation for lots of people.
The issue that the version of Log4J used in this repo is EOL and has a high severity CVE that is a couple years old now is still a big concern for us. With these new CVEs attackers will be scanning for this library, try to take advantage of the old CVE in new ways or look for other exploits in the old version. If and when they find more issues they would not be patched in the EOL version. The issue still stands. Is there any plans to update to a supported version of Log4J without these vulnerabilities? Are there suggested mitigation steps we can take until a patch is provided?
from team-explorer-everywhere.
ForNeVeR
commented on June 9, 2024
The issue that the version of Log4J used in this repo is EOL and has a high severity CVE that is a couple years old now
Yes, this is true. Though, the issue is only active is the presence of socket-based logging, which isn't used in TEE.
from team-explorer-everywhere.
cypherfunc
commented on June 9, 2024
Log4J 1.2.x is not vulnerable to CVE-2021-44228, but there is a corresponding issue CVE-2021-4104 (https://access.redhat.com/security/cve/CVE-2021-4104) which is specific to Log4j 1.x.
Note this flaw ONLY affects applications which are specifically configured to use JMSAppender, which is not the default, or when the attacker has write access to the Log4j configuration for adding JMSAppender to the attacker's JNDI LDAP endpoint.
Is TEE vulnerable to this?
from team-explorer-everywhere.
cypherfunc
commented on June 9, 2024
see microsoft/azure-devops-intellij#465 (comment)
from team-explorer-everywhere.
cypherfunc
commented on June 9, 2024
For anyone else looking into this, the answer is no, see microsoft/azure-devops-intellij#465 (comment)
from team-explorer-everywhere.
Related Issues (20)
- Apple Silicon Support
- Can't insert credentials HOT 16
- Not able to connect with TFVC from mac terminal
- java.lang.NullPointerException - Intellij Rider v2021.1.5 - Latest & TEE v14.135.0 - Latest
- [feature request] Opening compare editor on double-click
- Unable to connect to TFS from within Eclipse HOT 1
- Recover Password HOT 1
- It is not possible to edit the workspace (set the status to Active / Cloaked or insert Source Control Folder and Local Folder) HOT 1
- An internal error occurred during: "Loading section 'All Repositories'" HOT 3
- This repo is missing important files HOT 1
- Importing Team Explorer to Openedge 11.7
- Nothing happens when I chose a a valid server-Import team in Eclipse 2022.09 HOT 1
- Issues with Mac M1 for latest Eclipse . HOT 1
- Can we remove Log4J 1.2.x Jar as Log4J 1.2.x is EOL? HOT 3
- TFSEclipsePlugin-UpdateSiteArchive-14.137.0 does this support java 11 in TIBCO BW6.8 HOT 1
- java.lang.NoSuchMethodError: 'org.eclipse.egit.core.RepositoryUtil org.eclipse.egit.core.Activator.getRepositoryUtil()' HOT 3
- Update Log4j 1.2 to 2.3.2 HOT 9
- Unable to use the cli on M1 Mac HOT 2
- Associating automated tests with test cases in azure devops using eclipse
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from team-explorer-everywhere.