ESOUI

ESOUI (https://www.esoui.com/forums/index.php)
-   Minion (https://www.esoui.com/forums/forumdisplay.php?f=183)
-   -   Java Vulnerability (https://www.esoui.com/forums/showthread.php?t=10007)

static_recharge 12/14/21 01:30 PM

Java Vulnerability
 
Minion Team,

It looks like Minion is using log4j 2.6.2. This is currently a version of the log4j exploit activly being used. It is currently ranks a 10 out of 10 in severity.

I am just checking to see if you are aware of this, and/or have any plans to address/fix this.

Oracle has issued a fixed version of the library.

Baertram 12/14/21 01:34 PM

Moved to Minion forum.
sirinsidiator did a test and it does not seem to be vulnerable according to the exploit test info provided here

https://www.lunasec.io/docs/blog/log4j-zero-day/

Wailen 03/02/22 05:58 PM

Log4j
 
There is a new version of Log4j available since December 27th, and it supposedly fixes the possible exploit in 2.17.0. Do you have any plans to update to that version?

The security software I use, flags version 2.17.0 as compromised.

https://logging.apache.org/log4j/2.x/security.html

UusSanct 03/31/22 04:01 PM

Does anyone know if Minion uses Java Spring?
A set of high-profile vulnerabilities have been identified affecting the popular Java Spring Framework and related software components - generally being referred to as Spring4Shell.

Four CVEs have been released so far and are being actively updated as new information emerges. These vulnerabilities can result, in the worst case, in full remote code execution (RCE) compromise:

CVE-2022-22947 - [official VMware post]
CVE-2022-22950 - [official VMware post]
CVE-2022-22963 - [official Spring project post]
CVE-2022-22965 - [official Spring project post]

Customers using Java Spring and related software components, such as the Spring Cloud Gateway, should immediately review their software and update to the latest versions by following the official Spring project guidance.

Dolby 04/01/22 08:44 AM

Nope, but you can see the dependencies yourself if you press the (i) icon in the upper right of Minion

Quote:

Originally Posted by UusSanct (Post 45616)
Does anyone know if Minion uses Java Spring?
A set of high-profile vulnerabilities have been identified affecting the popular Java Spring Framework and related software components - generally being referred to as Spring4Shell.

Four CVEs have been released so far and are being actively updated as new information emerges. These vulnerabilities can result, in the worst case, in full remote code execution (RCE) compromise:

CVE-2022-22947 - [official VMware post]
CVE-2022-22950 - [official VMware post]
CVE-2022-22963 - [official Spring project post]
CVE-2022-22965 - [official Spring project post]

Customers using Java Spring and related software components, such as the Spring Cloud Gateway, should immediately review their software and update to the latest versions by following the official Spring project guidance.


UusSanct 04/03/22 10:01 PM

Quote:

Originally Posted by Dolby (Post 45619)
Nope, but you can see the dependencies yourself if you press the (i) icon in the upper right of Minion

thank you for that, tmyk


All times are GMT -6. The time now is 02:26 AM.

vBulletin © 2022, Jelsoft Enterprises Ltd
© 2014 - 2021 MMOUI