Java Vulnerability
 

Minion Team,

It looks like Minion is using log4j 2.6.2. This is currently a version of the log4j exploit activly being used. It is currently ranks a 10 out of 10 in severity.

I am just checking to see if you are aware of this, and/or have any plans to address/fix this.

Oracle has issued a fixed version of the library.

Moved to Minion forum.
sirinsidiator did a test and it does not seem to be vulnerable according to the exploit test info provided here

https://www.lunasec.io/docs/blog/log4j-zero-day/

Log4j
 

There is a new version of Log4j available since December 27th, and it supposedly fixes the possible exploit in 2.17.0. Do you have any plans to update to that version?

The security software I use, flags version 2.17.0 as compromised.

https://logging.apache.org/log4j/2.x/security.html

Does anyone know if Minion uses Java Spring?

A set of high-profile vulnerabilities have been identified affecting the popular Java Spring Framework and related software components - generally being referred to as Spring4Shell.

Four CVEs have been released so far and are being actively updated as new information emerges. These vulnerabilities can result, in the worst case, in full remote code execution (RCE) compromise:

CVE-2022-22947 - [official VMware post]
CVE-2022-22950 - [official VMware post]
CVE-2022-22963 - [official Spring project post]
CVE-2022-22965 - [official Spring project post]

Customers using Java Spring and related software components, such as the Spring Cloud Gateway, should immediately review their software and update to the latest versions by following the official Spring project guidance.

Nope, but you can see the dependencies yourself if you press the (i) icon in the upper right of Minion

thank you for that, tmyk