Apache Log4j Vulnerability issue - Black Duck

[josephreji]

How can we help?

Our product is using build-info-extractor-gradle for publishing artifacts to JFrog artifactory repository. Couple of months back our team introduced vulnerability scanning tools. One of them is Black Duck. We are getting multiple critical warnings from that tool due to the internal dependency with Apache Log4j . We upgraded the build-info-extractor-gradle to the latest 5.1. 4. But still we are getting the same warning. Now it became a compliance issue for our product. Could you please advise how to solve this?

Please find more details below :-

build.gradle -> -gradle -> org.jfrog.buildinfo:build-info-extractor-gradle:5.1.3 -> org.jfrog.buildinfo:build-info-extractor:2.41.4 -> commons-logging:commons-logging:1.2 -> log4j:log4j:1.2.17

https://mvnrepository.com/artifact/org.jfrog.buildinfo/build-info-extractor-gradle/5.1.4

Published on: 12/20/19
Updated on: 1/3/23
Base score: 9.8
Exploitability: 3.9

Description: Apache Log4j is vulnerable to remote code execution (RCE). This allows a remote attacker to send a crafted serialized payload that, when processed by Log4j, will execute arbitrary code. This can occur if Log4j is deserializing untrusted network traffic.

https://nvd.nist.gov/vuln/detail/CVE-2019-17571
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571

[yahavi]

Hey @josephreji,
Thanks for bringing up this problem!
We've rolled out v5.1.6 to address it.
Check it out here:

• artifactory-gradle-plugin pull request
• build-info pull request

Your feedback would be greatly valued.

[josephreji]

@yahavi That's awesome!. Thanks for fixing this issue so quickly.