www-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <...@apache.org>
Subject [SECURITY] CVE-2017-5645: Apache Ant 1.9.9 and 1.10.1 - Apache Log4j 1.2.13 security vulnerability
Date Wed, 07 Feb 2018 07:24:44 GMT
CVE-2017-5645: Apache Ant 1.9.9 and 1.10.1 - Apache Log4j 1.2.13 security
vulnerability


Severity: low
Vendor: The Apache Software Foundation
Versions Affected:
  Apache Ant 1.9.0 - 1.9.9
  Apache Ant 1.10.0 - 1.10.1
  The unsupported Apache Ant 1.8 and lower versions are also affected.
Description:
  When using Apache Ants Log4jListener there could be a security issue with
the
  underlying Apache Log4j library in version 1.x. 
  Please note that Log4j 1.x has reached its end of life and is no longer
maintained. 
  For details about migrating away from Log4j 1.x please consult with the
Apache Log4j team.
Mitigation:
  Users should not use the Log4JListener or use the log4j2-bridge.
  (Using the bridge requires Ant 1.9.10+ or Ant 1.10.2+.)
Credit: 
  This issue was discovered by Wade Schwarz of Oracle.
 
 
-Jan Matèrne
on behalf of the Apache Ant PMC


Mime
View raw message