57291 – Veracode scan detected OS command injection vulnerability in Log4j.jar - JDBCAppender.java:178

Bug 57291 - Veracode scan detected OS command injection vulnerability in Log4j.jar - JDBCAppender.java:178

Summary: Veracode scan detected OS command injection vulnerability in Log4j.jar - JDBC...

Status:	NEW

Alias:	None

Product:	Log4j - Now in Jira
Classification:	Unclassified
Component:	Appender (show other bugs)
Version:	1.2
Hardware:	PC All

Importance:	P2 normal
Target Milestone:	---
Assignee:	log4j-dev

URL:
Keywords:

Depends on:
Blocks:

Reported:	2014-12-01 10:21 UTC by Arkadeep Kundu
Modified:	2014-12-01 10:22 UTC (History)
CC List:	1 user (show)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arkadeep Kundu 2014-12-01 10:21:58 UTC

Log4j is embedded in EMC Corporation's DFS 6.7SP1.
We performed Veracode scan for DFS 6.7SP1 and scan reported that code in Log4j.jar - JDBCAppender.java:178 (no further details) is POSSIBLY vulnerable to SQL injection attacks.

Log4j version: 1.2.13

Need update on this from Apache side.
It it really vulnerable? if yes, is it fixed in some future version?