how to mitigate for the Log4J CVE Vulnerability scan report.

149 views
Skip to first unread message

Lavanya.Sh...@infineon.com

unread,
Jan 3, 2022, 6:03:33 AM1/3/22
to us...@subversion.apache.org

Dear Team,

Scanning for Log4J CVE Vulnerability found these files with severity mentioned below.
Can you guide on how to mitigate ?

 

svn version: 1.8.19

OS: Windows

Severity

File Found

Vulnerable

D:\csvn\appserver\work\jetty-0.0.0.0-3343-csvn.war-_csvn-any-\webapp\WEB-INF\lib\grails-plugin-log4j-2.4.4.jar

Outdated

D:\csvn\appserver\work\jetty-0.0.0.0-3343-csvn.war-_csvn-any-\webapp\WEB-INF\lib\log4j-1.2.17.jar

Unknown version

D:\csvn\appserver\work\jetty-0.0.0.0-3343-csvn.war-_csvn-any-\webapp\WEB-INF\lib\tomcat-embed-logging-log4j-7.0.50.jar

Outdated

D:\csvn\appserver\work\jetty-0.0.0.0-3343-integration.war-_integration-any-\webapp\WEB-INF\lib\log4j-1.2.13.jar

 

Thanks & Regards,
Lavanya.

Mauricio Tavares

unread,
Jan 3, 2022, 6:53:00 AM1/3/22
to Lavanya.Sh...@infineon.com, us...@subversion.apache.org
AFAIK, subversion by itself has no java. In fact, per
https://subversion.apache.org/, "Some vendors provide Java based web
interfaces bundled with their Subversion distribution. Please check
your vendor's information to verify if you are vulnerable." Do you
know where you got your Windows binaries from? Some of them are listed
in https://subversion.apache.org/packages.html#windows

Mark Phippard

unread,
Jan 3, 2022, 7:24:28 AM1/3/22
to Lavanya.Sh...@infineon.com, Subversion
On Mon, Jan 3, 2022 at 6:03 AM <Lavanya.Sh...@infineon.com> wrote:

Dear Team,

Scanning for Log4J CVE Vulnerability found these files with severity mentioned below.
Can you guide on how to mitigate ?


Subversion's statement on the log4j vuln is here:  https://subversion.apache.org/#news-20211215

The files you listed come from a 3rd party distribution of SVN called SVN Edge. Their statement is here:


Mark

 
Reply all
Reply to author
Forward
0 new messages