An update for logback is now available for openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP3,openEuler-22.03-LTS-SP4,openEuler-24.03-LTS,openEuler-24.03-LTS-SP1 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2025-1082 Final 1.0 1.0 2025-01-24 Initial 2025-01-24 2025-01-24 openEuler SA Tool V1.0 2025-01-24 logback security update An update for logback is now available for openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP3,openEuler-22.03-LTS-SP4,openEuler-24.03-LTS,openEuler-24.03-LTS-SP1 Logback is intended as a successor to the popular log4j project. Security Fix(es): ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core upto including version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 in Java applications allows attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution. Malicious logback configuration files can allow the attacker to execute arbitrary code using the JaninoEventEvaluator extension. A successful attack requires the user to have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege.(CVE-2024-12798) Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 0.1 to 1.3.14 and 1.4.0 to 1.5.12  on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML. The attacks involves the modification of DOCTYPE declaration in  XML configuration files.(CVE-2024-12801) An update for logback is now available for openEuler-20.03-LTS-SP4,openEuler-22.03-LTS-SP3,openEuler-22.03-LTS-SP4,openEuler-24.03-LTS,openEuler-24.03-LTS-SP1. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High logback https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1082 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-12798 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-12801 https://nvd.nist.gov/vuln/detail/CVE-2024-12798 https://nvd.nist.gov/vuln/detail/CVE-2024-12801 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP3 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS openEuler-24.03-LTS-SP1 logback-1.2.8-4.oe2003sp4.noarch.rpm logback-access-1.2.8-4.oe2003sp4.noarch.rpm logback-examples-1.2.8-4.oe2003sp4.noarch.rpm logback-help-1.2.8-4.oe2003sp4.noarch.rpm logback-1.2.8-4.oe2203sp3.noarch.rpm logback-access-1.2.8-4.oe2203sp3.noarch.rpm logback-examples-1.2.8-4.oe2203sp3.noarch.rpm logback-help-1.2.8-4.oe2203sp3.noarch.rpm logback-1.2.8-4.oe2203sp4.noarch.rpm logback-access-1.2.8-4.oe2203sp4.noarch.rpm logback-examples-1.2.8-4.oe2203sp4.noarch.rpm logback-help-1.2.8-4.oe2203sp4.noarch.rpm logback-1.2.8-4.oe2403.noarch.rpm logback-access-1.2.8-4.oe2403.noarch.rpm logback-examples-1.2.8-4.oe2403.noarch.rpm logback-help-1.2.8-4.oe2403.noarch.rpm logback-1.2.8-4.oe2403sp1.noarch.rpm logback-access-1.2.8-4.oe2403sp1.noarch.rpm logback-examples-1.2.8-4.oe2403sp1.noarch.rpm logback-help-1.2.8-4.oe2403sp1.noarch.rpm logback-1.2.8-4.oe2003sp4.src.rpm logback-1.2.8-4.oe2203sp3.src.rpm logback-1.2.8-4.oe2203sp4.src.rpm logback-1.2.8-4.oe2403.src.rpm logback-1.2.8-4.oe2403sp1.src.rpm ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core upto including version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 in Java applications allows attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution. Malicious logback configuration files can allow the attacker to execute arbitrary code using the JaninoEventEvaluator extension. A successful attack requires the user to have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege. 2025-01-24 CVE-2024-12798 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP3 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS openEuler-24.03-LTS-SP1 High 7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H logback security update 2025-01-24 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1082 Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 0.1 to 1.3.14 and 1.4.0 to 1.5.12  on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML. The attacks involves the modification of DOCTYPE declaration in  XML configuration files. 2025-01-24 CVE-2024-12801 openEuler-20.03-LTS-SP4 openEuler-22.03-LTS-SP3 openEuler-22.03-LTS-SP4 openEuler-24.03-LTS openEuler-24.03-LTS-SP1 Medium 5.0 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N logback security update 2025-01-24 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1082