The CVE says it affects SocketServer up to Log4j 2.8.2, so it's not only Log4j 1.x issue. Did I miss something?
Gintas 2018-02-07 8:11 GMT+01:00 Jan Matèrne (jhm) <apa...@materne.de>: > CVE-2017-5645: Apache Ant 1.9.9 and 1.10.1 - Apache Log4j 1.2.13 security > vulnerability > > > > Severity: low > > Vendor: The Apache Software Foundation > > Versions Affected: > > Apache Ant 1.9.0 - 1.9.9 > > Apache Ant 1.10.0 - 1.10.1 > > The unsupported Apache Ant 1.8 and lower versions are also affected. > > Description: > > When using Apache Ants Log4jListener there could be a security issue with > the > > underlying Apache Log4j library in version 1.x. > > Please note that Log4j 1.x has reached its end of life and is no longer > maintained. > > For details about migrating away from Log4j 1.x please consult with the > Apache Log4j team. > > Mitigation: > > Users should not use the Log4JListener or use the log4j2-bridge. > > (Using the bridge requires Ant 1.9.10+ or Ant 1.10.2+.) > > Credit: > > This issue was discovered by Wade Schwarz of Oracle. > > > > > > -Jan Matèrne > > on behalf of the Apache Ant PMC > >
