Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Log4J vulnerability #631

Closed
Ulukai55 opened this issue Dec 13, 2021 · 3 comments
Closed

Log4J vulnerability #631

Ulukai55 opened this issue Dec 13, 2021 · 3 comments

Comments

@Ulukai55
Copy link

You might have heard about the Log4J zero-day vulnerability, https://access.redhat.com/security/cve/CVE-2021-44228.
PWM ships with Log4J version 1.2.17 which is unsupported but also contains this vulnerability, https://access.redhat.com/security/cve/CVE-2021-4104.

What are the plans to update PWM to support a fixed version of Log4J?
Can we take measures ourselves, and install a newer version of Log4J.jar over the old version without breaking things?
@jrivard
Copy link
Contributor

jrivard commented Dec 13, 2021

PWM is not affected by CVE-2021-4104. It does not use JMSAppender.

See #628 for CVE-2021-44228 information.

@jrivard jrivard closed this as completed Dec 13, 2021
@sahil-sardana
Copy link

Hello @jrivard Can you please confirm if we are using JMS Sink in PWM ?

@jrivard
Copy link
Contributor

jrivard commented Mar 31, 2022

see #628

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jrivard @Ulukai55 @sahil-sardana