Web-Karma icon indicating copy to clipboard operation
Web-Karma copied to clipboard

Published 20 hours ago verified publisher icon usc-isi-i2

log4j and Apache Tomcat vulnerabilities

Open RLWOHIO opened this issue 1 year ago • 1 comments

I would really like to try out Karma but was recently denied installation by our Information Security people after they found three log4j and one Apache Tomcat vulnerabilities in this software. Could you have the related dependencies updated to the latest releases? Thanks!

RLWOHIO avatar Oct 25 '24 12:10 RLWOHIO

here are more details about these vulnerabilities: Karma-Windows\Karma-Windows\resources\app\tomcat\webapps\clusterService.war!WEB-INF/lib/log4j-1.2.14.jar' ( Manifest Vendor: Apache Software Foundation, Manifest Version: 1.2.14, JNDI Class: NOT Found, Log4j Vendor: log4j, Log4j Version: 1.2.14, CVE Status: Potentially Vulnerable ( CVE-2021-4104: Found ) )

Karma-Windows\Karma-Windows\resources\app\tomcat\webapps\ROOT\ROOT.zip!WEB-INF/lib/log4j-1.2.14.jar' ( Manifest Vendor: Apache Software Foundation, Manifest Version: 1.2.14, JNDI Class: NOT Found, Log4j Vendor: log4j, Log4j Version: 1.2.14, CVE Status: Potentially Vulnerable ( CVE-2021-4104: Found )

Karma-Windows\Karma-Windows\resources\app\tomcat\webapps\ROOT\WEB-INF\lib\log4j-1.2.14.jar' ( Manifest Vendor: Apache Software Foundation, Manifest Version: 1.2.14, JNDI Class: NOT Found, Log4j Vendor: log4j, Log4j Version: 1.2.14, CVE Status: Potentially Vulnerable ( CVE-2021-4104: Found )

Also, this is the Apache Tomcat vulnerability that was flagged as well. [https://www.tenable.com/plugins/nessus/192043]

RLWOHIO avatar Oct 25 '24 17:10 RLWOHIO