GHSA-j7c3-96rf-jrrp

Опубликовано: 16 дек. 2021

Источник: github

Github: Прошло ревью

Описание

Critical vulnerability in log4j may affect generated PEAR projects

Impact

UIMA PEAR projects that have been generated with the de.averbis.textanalysis:pear-archetype version 2.0.0 have a maven dependency with scope test to log4j 2.8.2 and might be affected by CVE-2021-44228.

Patches

The issue has been resolved in de.averbis.textanalysis:pear-archetype version 2.0.1. Please make sure to use de.averbis.textanalysis:pear-archetype version >= 2.0.1 for generating new PEAR projects.
Existing maven PEAR projects can be patched by manually upgrading to log4j >= 2.16.0 in pom.xml.

References

https://www.lunasec.io/docs/blog/log4j-zero-day/

For more information

If you have any questions or comments about this advisory:

Open an issue in https://github.com/averbis/pear-archetype/issues

Ссылки

Пакеты

Наименование

de.averbis.textanalysis:pear-archetype

maven

Затронутые версииВерсия исправления

= 2.0.0

2.0.1