Apply log4j security patch to memcached1.4.x
66 views
Skip to first unread message
Deepthi Komatineni
Oct 23, 2018, 11:24:15 PM10/23/18
to spymemcached
In our project we use spymemcached.2.11.1.jar which uses Log4J 1.2.16
There is a security vulnerability observed in Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialised, can execute arbitrary code.
How do I apply the Log4J security patch (https://www.cvedetails.com/cve/CVE-2017-5645/) on memcached jars? Would memcached do it or should i update the pom.xml in memcached jar myself?
Regards,
Deepthi
There is a security vulnerability observed in Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialised, can execute arbitrary code.
How do I apply the Log4J security patch (https://www.cvedetails.com/cve/CVE-2017-5645/) on memcached jars? Would memcached do it or should i update the pom.xml in memcached jar myself?
Regards,
Deepthi
ingenthr
Oct 24, 2018, 12:00:26 AM10/24/18
to spymemcached
You should be able to update your Log4J dependency to a later one which is compatible directly as you indicate in the pom.xml. I'll have a look at updating this as well.
John Reilly
Oct 27, 2018, 10:15:46 PM10/27/18
to spymem...@googlegroups.com
The cve indicates that log4j 2.x is affected but not 1.x.
--
You received this message because you are subscribed to the Google Groups "spymemcached" group.
To unsubscribe from this group and stop receiving emails from it, send an email to spymemcached...@googlegroups.com.
To post to this group, send email to spymem...@googlegroups.com.
Visit this group at https://groups.google.com/group/spymemcached.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages