Jan Matèrne (jhm)
2018-02-07 07:11:02 UTC
CVE-2017-5645: Apache Ant 1.9.9 and 1.10.1 - Apache Log4j 1.2.13 security
vulnerability
Severity: low
Vendor: The Apache Software Foundation
Versions Affected:
Apache Ant 1.9.0 - 1.9.9
Apache Ant 1.10.0 - 1.10.1
The unsupported Apache Ant 1.8 and lower versions are also affected.
Description:
When using Apache Ants Log4jListener there could be a security issue with
the
underlying Apache Log4j library in version 1.x.
Please note that Log4j 1.x has reached its end of life and is no longer
maintained.
For details about migrating away from Log4j 1.x please consult with the
Apache Log4j team.
Mitigation:
Users should not use the Log4JListener or use the log4j2-bridge.
(Using the bridge requires Ant 1.9.10+ or Ant 1.10.2+.)
Credit:
This issue was discovered by Wade Schwarz of Oracle.
-Jan Matèrne
on behalf of the Apache Ant PMC
vulnerability
Severity: low
Vendor: The Apache Software Foundation
Versions Affected:
Apache Ant 1.9.0 - 1.9.9
Apache Ant 1.10.0 - 1.10.1
The unsupported Apache Ant 1.8 and lower versions are also affected.
Description:
When using Apache Ants Log4jListener there could be a security issue with
the
underlying Apache Log4j library in version 1.x.
Please note that Log4j 1.x has reached its end of life and is no longer
maintained.
For details about migrating away from Log4j 1.x please consult with the
Apache Log4j team.
Mitigation:
Users should not use the Log4JListener or use the log4j2-bridge.
(Using the bridge requires Ant 1.9.10+ or Ant 1.10.2+.)
Credit:
This issue was discovered by Wade Schwarz of Oracle.
-Jan Matèrne
on behalf of the Apache Ant PMC