Fixing Log4J vulnerability in course repo

VinayakPandey

SCA stage is failing with this error:

One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '8.0':

log4j-api-2.15.0.jar: CVE-2021-45046
logback-core-1.2.6.jar: CVE-2021-42550

How can we fix this log4j vulnerability issue in course code repo(dso-demo)

gouravshah

@VinayakPandey this is the latest and severe vulnerability which affected organisations widely across the globe.

The fix is to update the log4j package with the latest version. I am going to reproduce this issue, fix it and post the answer here.

gouravshah

Some reading material on this vulnerability

https://www.wired.com/story/log4j-flaw-hacking-internet/
https://security.googleblog.com/2021/12/understanding-impact-of-apache-log4j.html
https://logging.apache.org/log4j/2.x/security.html

Also, this reinforces the importance of using DevSecOps practices as the vulnerability was detected immediately and automatically.

jsu

Any > @gouravshah said:

@VinayakPandey this is the latest and severe vulnerability which affected organisations widely across the globe.

The fix is to update the log4j package with the latest version. I am going to reproduce this issue, fix it and post the answer here.

Any feedback about this issue?