Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-30666

Upgrade logback to 1.2.9 to mitigate CVE-2021-42550

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.14.20, 3.32.0, 3.37.0
    • Fix Version/s: 2.14.21, 3.37.1, 3.32.1
    • Component/s: Logging
    • Labels:
    • Release Note:
      Yes

      Description

      Nexus Repository Manager does not use log4j versions and uses logback instead. It is therefore not at risk from vulnerabilities impacting log4j.

      However, because of a low/moderate vulnerability existing in "logback" (CVE-2021-42550), we're taking precautionary measures by updating the logback library version used in Nexus Repository Manager products.

      • Repository Manager 3.37.1 - logback was upgraded to 1.2.9 from 1.2.3 as used in Nexus Repository 3.37.0
      • Repository Manager 3.32.1 - logback was upgraded to 1.2.9 from 1.2.3 as used in Nexus Repository 3.32.0
      • Repository Manager 2.14.21 - logback was upgraded to 1.2.9 from 1.2.3 as used in Nexus Repository 2.14.20.

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            mprescott Michael Prescott
            Last Updated By:
            Michael Martz Michael Martz
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                tigCommentSecurity.panel-title