GMS-2021-72: Critical vulnerability in log4j may affect generated PEAR projects

December 16, 2021

Impact

UIMA PEAR projects that have been generated with the de.averbis.textanalysis:pear-archetype version 2.0.0 have a maven dependency with scope test to log4j 2.8.2 and might be affected by CVE-2021-44228.

Patches

The issue has been resolved in de.averbis.textanalysis:pear-archetype version 2.0.1. Please make sure to use de.averbis.textanalysis:pear-archetype version >= 2.0.1 for generating new PEAR projects.
Existing maven PEAR projects can be patched by manually upgrading to log4j >= 2.16.0 in pom.xml.

References

https://www.lunasec.io/docs/blog/log4j-zero-day/

For more information

If you have any questions or comments about this advisory:

Open an issue in https://github.com/averbis/pear-archetype/issues

References

Detect and mitigate GMS-2021-72 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →