=====================================================================

                             CERT-Renater

                   Note d'Information No. 2021/VULN661
_____________________________________________________________________

DATE                : 17/12/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running pear-archetype (maven).

=====================================================================
https://github.com/averbis/pear-archetype/security/advisories/GHSA-j7c3-96rf-jrrp
_____________________________________________________________________


Critical vulnerability in log4j may affect generated PEAR projects

critical
cgaege published GHSA-j7c3-96rf-jrrp Dec 16, 2021


Package
de.averbis.textanalysis:pear-archetype (maven)

Affected versions
2.0.0

Patched versions
2.0.1


Description

Impact

UIMA PEAR projects that have been generated with the
de.averbis.textanalysis:pear-archetype version 2.0.0 have a maven
dependency with scope test to log4j 2.8.2 and might be affected by
CVE-2021-44228.


Patches

     The issue has been resolved in 
de.averbis.textanalysis:pear-archetype version 2.0.1. Please make sure 
to use
de.averbis.textanalysis:pear-archetype version >= 2.0.1 for generating
new PEAR projects.

     Existing maven PEAR projects can be patched by manually upgrading to
log4j >= 2.16.0 in pom.xml.


References

https://www.lunasec.io/docs/blog/log4j-zero-day/


For more information

If you have any questions or comments about this advisory:

     Open an issue in https://github.com/averbis/pear-archetype/issues


CVE ID
CVE-2021-44228




=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================