N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-j7c3-96rf-jrrp

EPSS Score

CWE

Published

12/16/2021

Updated

1/9/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-j7c3-96rf-jrrp

GHSA-j7c3-96rf-jrrp: Critical vulnerability in log4j may affect generated PEAR projects

Impact

UIMA PEAR projects that have been generated with the de.averbis.textanalysis:pear-archetype version 2.0.0 have a maven dependency with scope test to log4j 2.8.2 and might be affected by CVE-2021-44228.

Patches

The issue has been resolved in de.averbis.textanalysis:pear-archetype version 2.0.1. Please make sure to use de.averbis.textanalysis:pear-archetype version >= 2.0.1 for generating new PEAR projects.
Existing maven PEAR projects can be patched by manually upgrading to log4j >= 2.16.0 in pom.xml.

References

https://www.lunasec.io/docs/blog/log4j-zero-day/

For more information

If you have any questions or comments about this advisory:

Open an issue in https://github.com/averbis/pear-archetype/issues

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-j7c3-96rf-jrrp

EPSS Score

CWE

Published

12/16/2021

Updated

1/9/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
de.averbis.textanalysis:pear-archetype	maven	= 2.0.0	2.0.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from using log4j 2.8.2 as a dependency, which contains the Log4Shell (CVE-2021-44228) vulnerability. The PEAR archetype itself does not contain vulnerable code functions - the risk comes from projects inheriting the vulnerable log4j dependency through their pom.xml. The actual vulnerable functions exist within log4j's JNDI lookup features (e.g., JndiLookup class), not in the pear-archetype codebase. The fix involves updating the dependency version, not modifying application code. No specific functions in the pear-archetype package were identified as vulnerable with high confidence.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t UIM* P**R proj**ts t**t **v* ***n **n*r*t** wit* t** `**.*v*r*is.t*xt*n*lysis:p**r-*r***typ* ` v*rsion `*.*.*` **v* * m*v*n **p*n**n*y wit* s*op* `t*st` to` lo**j *.*.*` *n* mi**t ** *****t** *y *V*-****-*****. ### P*t***s - T** issu* **s

Reasoning

T** vuln*r**ility st*ms *rom usin* `lo**j` *.*.* *s * **p*n**n*y, w*i** *ont*ins t** Lo**S**ll (*V*-****-*****) vuln*r**ility. T** P**R *r***typ* its*l* *o*s not *ont*in vuln*r**l* *o** *un*tions - t** risk *om*s *rom proj**ts in**ritin* t** vuln*r**

N/A

Basic Information

Concerned about an active attack path?

GHSA-j7c3-96rf-jrrp: Critical vulnerability in log4j may affect generated PEAR projects

Impact

Patches

References

For more information

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI