[slf4j-dev] [JIRA] (SLF4J-486) deserialization of untrusted data risk on slf4j-log4j12
QOS.CH (JIRA)
noreply-jira at qos.ch
Mon Mar 2 17:31:00 CET 2020
Juan Diego Morera created SLF4J-486:
---------------------------------------
Summary: deserialization of untrusted data risk on slf4j-log4j12
Key: SLF4J-486
URL: https://jira.qos.ch/browse/SLF4J-486
Project: SLF4J
Issue Type: Bug
Affects Versions: 2.0.0-alpha1
Reporter: Juan Diego Morera
Assignee: SLF4J developers list
Hello, looks like latest version for slf4j-log4j12 (2.0.0-alpha1) has a dependency for log4j-1.2.17.jar and it will have the issue of deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data.
Related documentation: [https://nvd.nist.gov/vuln/detail/CVE-2019-17571]
Please let me know if you have already this on you radar
Regards .
--
This message was sent by Atlassian JIRA
(v7.3.1#73012)
More information about the slf4j-dev
mailing list