Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Log4j finding in PWM 1.9.2 (OneJar) #642

Closed
norschel opened this issue Feb 17, 2022 · 1 comment
Closed

Log4j finding in PWM 1.9.2 (OneJar) #642

norschel opened this issue Feb 17, 2022 · 1 comment

Comments

@norschel
Copy link

We used the Log4 scanner from the GitHub project (https://github.com/hillu/local-log4j-vuln-scanner) to look for the Log4 vulnerabilities from December 2021. The scanner found a finding on the OneJar of PWM version 1.9.2.

Output from local-log4j-vuln-scanner:
local-log4j-vuln-scanner.exe c:\PWM | grep "vulnerable component found"
indicator for vulnerable component found in c:\PWM\pwm-onejar-1.9.2.jar::embed.war::WEB-INF/lib/log4j-1.2.17.jar (org/apache/log4j/net/SocketNode.class): SocketNode.class log4j 1.2.17 CVE-2019-17571

Is PWM affected by the Log4 vulnerabilities? If so, is an updated version already on the horizon?

@jrivard
Copy link
Contributor

jrivard commented Feb 17, 2022

Dupe of issue #628.

@jrivard jrivard closed this as completed Feb 17, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants