log4j 1.2.17 and CVE-2019-17571

[jonathan-dill-nih]

Just an FYI that this package contains a vulnerable version of log4j. It's not a huge showstopper for me as it's mainly a bit more convenient to use than instantclient, but if there is something else you have been using recently, any recommendation would be much appreciated. Thanks for your work on this project thus far.

[aimtiaz11]

@jonathan-dill-nih - Hi no I don't have a workaround currently.

However I did check what that vulnerability is about. It becomes an issue when listening in network traffic & performing logging which this CLI tool does not do.
https://www.whitesourcesoftware.com/vulnerability-database/CVE-2019-17571

So while the log4j library may contain the specified vulnerability, I dont think it can be exploited through this tool due to the way it works.

[kapcus]

still it would be great to fix it. In enterprise environment, there are automated filesystem scans searching for all potentially vulnerable and this tool is now being reported as vulnerable and removed by administrators afterwards - just because it is including vulnerable 3rd party component no matter if some function is called or not.