Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix Log4shell Zero-Day exploit vulnerabilities #6

Closed
hgschwibbe opened this issue Mar 18, 2022 · 2 comments
Closed

Fix Log4shell Zero-Day exploit vulnerabilities #6

hgschwibbe opened this issue Mar 18, 2022 · 2 comments
Assignees
@ecovaci
Labels
enhancement New feature or request status:fixed The issue has been fixed

Comments

@hgschwibbe
Copy link

hgschwibbe commented Mar 18, 2022
edited
Loading

Bug description
The latest Winfoom release contains dependencies that make Winfoom probably vulnerable against
log4Shell/CVE-2021-44228.

As you can see in the Logback news, Logback provided a security fix along version 1.2.9, but Winfoom uses version 1.2.5.
log4shell

Log4j-API 2.14.1 is also vulnerable against log4Shell, see Apache Log4j Security Vulnerabilities for more details. I recommend to use Log4j-API 2.17.2 .

Current dependencies found in Windfoom 4.0.1:
winfoom
@ecovaci
Copy link
Owner

ecovaci commented Mar 18, 2022

It can be solved by using Log4j Commons Logging Adapter. I will issue a new version. Thank you.

@ecovaci
Copy link
Owner

ecovaci commented Mar 19, 2022

Solved in v4.0.2

@ecovaci ecovaci self-assigned this Mar 19, 2022
@ecovaci ecovaci added enhancement New feature or request status:fixed The issue has been fixed labels Mar 19, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ecovaci ecovaci

Labels
enhancement New feature or request status:fixed The issue has been fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hgschwibbe @ecovaci