Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qN2MzLTk2cmYtanJycM0cpw
Critical vulnerability in log4j may affect generated PEAR projects
Impact
UIMA PEAR projects that have been generated with the de.averbis.textanalysis:pear-archetype version 2.0.0 have a maven dependency with scope test to log4j 2.8.2 and might be affected by CVE-2021-44228.
Patches
-
The issue has been resolved in
de.averbis.textanalysis:pear-archetypeversion2.0.1. Please make sure to usede.averbis.textanalysis:pear-archetypeversion >=2.0.1for generating new PEAR projects. -
Existing maven PEAR projects can be patched by manually upgrading to
log4j>=2.16.0inpom.xml.
References
https://www.lunasec.io/docs/blog/log4j-zero-day/
For more information
If you have any questions or comments about this advisory:
- Open an issue in https://github.com/averbis/pear-archetype/issues
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qN2MzLTk2cmYtanJycM0cpw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 2 years ago
Updated: over 1 year ago
Identifiers: GHSA-j7c3-96rf-jrrp
References:
- https://github.com/averbis/pear-archetype/security/advisories/GHSA-j7c3-96rf-jrrp
- https://github.com/averbis/pear-archetype/commit/6815f5981c836ab8c345a6ff54f29e9f4b67f7eb
- https://github.com/advisories/GHSA-j7c3-96rf-jrrp
Blast Radius: 1.0
Affected Packages
maven:de.averbis.textanalysis:pear-archetype
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: = 2.0.0
Fixed in: 2.0.1
All affected versions: 2.0.0
All unaffected versions: 1.0.0, 1.1.0, 1.1.1, 2.0.1, 2.0.2