Dom4J Vulnerability

Hi Graylog Team,

Our security team has flagged the following dependency ‘apache.servicemix.bundles.dom4j:1.6.1_5’ as vulnerable in Graylog <= 3.0.0 . Is Graylog likely to be affected by this vulnerability?

Thanks

I assume that’s in reference to this CVE:

https://nvd.nist.gov/vuln/detail/CVE-2018-1000632

If Graylog includes an older version of this library, then yes it could be vulnerable. Pinging @jan and @jochen to ask about Graylog’s policies and practices regarding keeping up-to-date on third party includes.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.