Skip to content

Log4j security issue in Typefox.yang VSCode extension #111

Description

@AScott-WWF

It has come to my attention that the latest Typefox.Yang extension for VS code (v2.3.4) contains / utilises a vulnerable Log4j Java (.jar) file, this is located here for each user:
c:\users\<username>\.vscode\extensions\typefox.yang-vscode-2.3.4\server\lib\log4j-1.2.17.jar

This file exposes the users device to the following 4 CVEs:

  • CVE-2020-9493 - CVSS 9.8 (Critical) - "A deserialization flaw was found in Apache Chainsaw... "
  • CVE-2022-23302 - CVSS 8.8 (High) - "Deserialization of Untrusted Data in Log4j 1.x "
  • CVE-2023-26464 - CVSS 7.5 (High) - "Apache Log4j 1.x (EOL) allows Denial of Service (DoS) "
  • CVE-2022-23305 - CVSS 6.5 (Medium) - "SQL Injection in Log4j 1.2.x "

Please can you update the Log4j component at your earliest opportunity to fix the 4 weaknesses this introduces to users devices.
Recommendation is to use latest 2.26.x release from here: https://logging.apache.org/log4j/2.x/download.html as this version is under active development

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions