It has come to my attention that the latest Typefox.Yang extension for VS code (v2.3.4) contains / utilises a vulnerable Log4j Java (.jar) file, this is located here for each user:
c:\users\<username>\.vscode\extensions\typefox.yang-vscode-2.3.4\server\lib\log4j-1.2.17.jar
This file exposes the users device to the following 4 CVEs:
- CVE-2020-9493 - CVSS 9.8 (Critical) - "A deserialization flaw was found in Apache Chainsaw... "
- CVE-2022-23302 - CVSS 8.8 (High) - "Deserialization of Untrusted Data in Log4j 1.x "
- CVE-2023-26464 - CVSS 7.5 (High) - "Apache Log4j 1.x (EOL) allows Denial of Service (DoS) "
- CVE-2022-23305 - CVSS 6.5 (Medium) - "SQL Injection in Log4j 1.2.x "
Please can you update the Log4j component at your earliest opportunity to fix the 4 weaknesses this introduces to users devices.
Recommendation is to use latest 2.26.x release from here: https://logging.apache.org/log4j/2.x/download.html as this version is under active development
It has come to my attention that the latest Typefox.Yang extension for VS code (v2.3.4) contains / utilises a vulnerable Log4j Java (.jar) file, this is located here for each user:
c:\users\<username>\.vscode\extensions\typefox.yang-vscode-2.3.4\server\lib\log4j-1.2.17.jarThis file exposes the users device to the following 4 CVEs:
Please can you update the Log4j component at your earliest opportunity to fix the 4 weaknesses this introduces to users devices.
Recommendation is to use latest 2.26.x release from here: https://logging.apache.org/log4j/2.x/download.html as this version is under active development