Block one more gadget type (logback, CVE-2019-14439)

[cowtowncoder]

Another gadget type report regarding logback/JNDI.

Mitre id: CVE-2019-14439
Reporter: xiexq@knownsec.com (Badcode of Knownsec 404 Team)

---

Fixed in:

• 2.9.10
• 2.8.11.4
• 2.7.9.6
• 2.6.7.3

[jdelta-RBS]

Similar to #2341 and others? -_-

[cowtowncoder]

@jdelta-RBS yup, same old shite.

[carnil]

Is this the correct CVE? According to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14439 CVE-2019-14439 was assigned for this issue.

[cowtowncoder]

I don't know. I guess this is downside of my not requesting CVE IDs -- looks like we now have TWO cve ids for same thing. :-/

Will the real CVE-for-logback please stand up?

[carnil]

Hi

On Tue, Jul 30, 2019 at 03:35:23PM -0700, Tatu Saloranta wrote: I don't know. I guess this is downside of my not requesting CVE IDs -- looks like we now have TWO cve ids for same thing. :-/

Uh okay! I asked MITRE (via https://cveform.mitre.org/) if they can look up and reject one of those.