You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Update Log4j Dependency to a Supported Version to Address Vulnerabilities
Description
The current implementation of codeclimate-duplication includes dependencies on Apache Log4j version 1.x, as identified by a security scan. This version is end-of-life (EOL) and contains multiple high-severity vulnerabilities, including remote code execution (RCE) risks. Updating to a supported version (Log4j 2.17.2 or later) is necessary to address these security concerns.
Addressing this issue is critical to maintaining the security and integrity of systems utilizing codeclimate-duplication. If further assistance is needed, I am happy to provide additional details or support testing efforts.
Thank you for your attention to this matter.
The text was updated successfully, but these errors were encountered:
Update Log4j Dependency to a Supported Version to Address Vulnerabilities
Description
The current implementation of
codeclimate-duplication
includes dependencies on Apache Log4j version 1.x, as identified by a security scan. This version is end-of-life (EOL) and contains multiple high-severity vulnerabilities, including remote code execution (RCE) risks. Updating to a supported version (Log4j 2.17.2 or later) is necessary to address these security concerns.Detected Vulnerabilities
Apache Log4j 1.x Multiple Vulnerabilities (CVE-2019-17571, CVE-2020-9488, CVE-2022-23302):
Apache Log4j 1.2 JMSAppender Remote Code Execution (CVE-2021-4104):
Path Identified:
/srv/containers/gitlab-runner/overlay/<hash>/diff/home/app/.m2/repository/log4j/log4j/1.2.12/log4j-1.2.12.jar
Recommended Actions
Upgrade:
log4j.properties
) are compatible with Log4j 2.x.Review Usage:
JMSAppender
) are in use.Testing:
References
Addressing this issue is critical to maintaining the security and integrity of systems utilizing
codeclimate-duplication
. If further assistance is needed, I am happy to provide additional details or support testing efforts.Thank you for your attention to this matter.
The text was updated successfully, but these errors were encountered: