Thread Tools Display Modes
12/14/21, 01:30 PM   #1
static_recharge
AddOn Author - Click to view addons
Join Date: Apr 2014
Posts: 32
Java Vulnerability

Minion Team,

It looks like Minion is using log4j 2.6.2. This is currently a version of the log4j exploit activly being used. It is currently ranks a 10 out of 10 in severity.

I am just checking to see if you are aware of this, and/or have any plans to address/fix this.

Oracle has issued a fixed version of the library.
  Reply With Quote
12/14/21, 01:34 PM   #2
Baertram
Super Moderator
 
Baertram's Avatar
WoWInterface Super Mod
AddOn Author - Click to view addons
Join Date: Mar 2014
Posts: 4,912
Moved to Minion forum.
sirinsidiator did a test and it does not seem to be vulnerable according to the exploit test info provided here

https://www.lunasec.io/docs/blog/log4j-zero-day/
  Reply With Quote
03/02/22, 05:58 PM   #3
Wailen
Join Date: Feb 2022
Posts: 1
Log4j

There is a new version of Log4j available since December 27th, and it supposedly fixes the possible exploit in 2.17.0. Do you have any plans to update to that version?

The security software I use, flags version 2.17.0 as compromised.

https://logging.apache.org/log4j/2.x/security.html
  Reply With Quote
03/31/22, 04:01 PM   #4
UusSanct
Join Date: May 2017
Posts: 2
Does anyone know if Minion uses Java Spring?
A set of high-profile vulnerabilities have been identified affecting the popular Java Spring Framework and related software components - generally being referred to as Spring4Shell.

Four CVEs have been released so far and are being actively updated as new information emerges. These vulnerabilities can result, in the worst case, in full remote code execution (RCE) compromise:

CVE-2022-22947 - [official VMware post]
CVE-2022-22950 - [official VMware post]
CVE-2022-22963 - [official Spring project post]
CVE-2022-22965 - [official Spring project post]

Customers using Java Spring and related software components, such as the Spring Cloud Gateway, should immediately review their software and update to the latest versions by following the official Spring project guidance.
  Reply With Quote
04/01/22, 08:44 AM   #5
Dolby
Every day I'm shuffling
 
Dolby's Avatar
Premium Member
WoWInterface Admin
Join Date: Feb 2004
Posts: 1,276
Nope, but you can see the dependencies yourself if you press the (i) icon in the upper right of Minion

Originally Posted by UusSanct View Post
Does anyone know if Minion uses Java Spring?
A set of high-profile vulnerabilities have been identified affecting the popular Java Spring Framework and related software components - generally being referred to as Spring4Shell.

Four CVEs have been released so far and are being actively updated as new information emerges. These vulnerabilities can result, in the worst case, in full remote code execution (RCE) compromise:

CVE-2022-22947 - [official VMware post]
CVE-2022-22950 - [official VMware post]
CVE-2022-22963 - [official Spring project post]
CVE-2022-22965 - [official Spring project post]

Customers using Java Spring and related software components, such as the Spring Cloud Gateway, should immediately review their software and update to the latest versions by following the official Spring project guidance.
  Reply With Quote
04/03/22, 10:01 PM   #6
UusSanct
Join Date: May 2017
Posts: 2
Originally Posted by Dolby View Post
Nope, but you can see the dependencies yourself if you press the (i) icon in the upper right of Minion
thank you for that, tmyk
  Reply With Quote

ESOUI » Site Forums » Minion » Java Vulnerability

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off