stackoom
  简体   繁体   中英

Should we do something regarding Log4j vulnerability when we are using it for Testing?( TestNg Framework)

 原文  2021-12-13 08:00:56       security/ log4j/ testng

Question

We are using TestNG framework with Log4j for preparing end to end tests. Should we take some action?

1 answers

solution1
 0  2021-12-13 10:32:20

Just because the vulnerability is only in your test dependencies, does not mean you could ignore it.

However you should be under full control of your input and this should cover all possible log messages as well. So you could assume that nobody from outside can easily exploit this vulnerability. So if are not planning to add injection Strings to your test data, you should be OK.
I recommend to update anyway, as you never know if it could be used in some way of exploit chain (another exploit in the future might rewrite your input, and that ends up in the logging). But it has a lower priority than fixing any public available server.

Version 2.15.0 of log2j contains the fix.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Jenkins log4j vulnerability testing from pipeline job SonarQube log4j Vulnerability How do I fix the log4j vulnerability (Windows)? How to search for log4j vulnerability? Was slf4j affected with vulnerability issue in log4j Are there any ways to fix Log4j vulnerability when it is being used as a transitive dependency log4j vulnerability with avro-tools-1.9.1.jar Ubuntu and log4j vulnerability: java not even installed Apache/2.4.29 (Ubuntu) apache2 Log4j vulnerability Effect of log4j vulnerability on wildfly-11.0.0-final
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM