Skip to content

Fix: Vulnerability for logback-classic #305

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

Fix: Vulnerability for logback-classic #305

wants to merge 1 commit into from

Conversation

AbhishekKumar9984
Copy link
Contributor

@AbhishekKumar9984 AbhishekKumar9984 commented Jul 15, 2025
edited
Loading

Issue:
Resolved a high-severity Denial of Service (DoS) vulnerability (CVE-2023-6378) in the logback receiver component (ch.qos.logback:logback-classic). This vulnerability allowed attackers to exploit a serialization flaw by sending malicious data to the receiver component, potentially causing system unavailability. The issue is present in environments where the logback receiver component is deployed, specifically affecting logback-classic version 1.2.8.

Root Cause:
The logback receiver component failed to adequately validate serialized input data. If the receiver was enabled, attackers could send specially crafted serialized payloads that triggered resource exhaustion, leading to Denial of Service.

Fix : Upgraded ch.qos.logback:logback-classic to the 1.5.16.

JIRA Ticket: https://cdap.atlassian.net/browse/PLUGIN-1907

@psainics psainics force-pushed the vulFix-logback-classic branch from 6ef7520 to d59fef1 Compare July 17, 2025 07:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
build
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@AbhishekKumar9984