From d983070b49ce82666a3dafabf70cc69279fb8358 Mon Sep 17 00:00:00 2001
From: Ali Jaafer <93264687+i5d6@users.noreply.github.com>
Date: Sun, 27 Apr 2025 15:33:29 +0300
Subject: [PATCH] Update build.gradle

The slf4j-log4j12:1.6.1 library is linked to Log4j 1.x.

Log4j version 1.x contains serious vulnerabilities, most notably the possibility of remote command execution (RCE) by serializing/deserializing untrusted data in components such as SocketServer, JMSSink, or when reading logs from an external source.

This version may allow serialized objects to be received over the network or files, which could lead to exploitation.

Simply put:

Using slf4j-log4j12:1.6.1 exposes you to serious vulnerabilities such as RCE due to mishandling of untrusted data during logging or networking operations.
---
 eureka-server-governator/build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/eureka-server-governator/build.gradle b/eureka-server-governator/build.gradle
index 1081b8660f..550e57d8f1 100644
--- a/eureka-server-governator/build.gradle
+++ b/eureka-server-governator/build.gradle
@@ -9,7 +9,7 @@ dependencies {
     compile "com.sun.jersey:jersey-server:${jerseyVersion}"
     compile "com.sun.jersey:jersey-servlet:${jerseyVersion}"
     compile "com.sun.jersey.contribs:jersey-guice:${jerseyVersion}"
-    compile 'org.slf4j:slf4j-log4j12:1.6.1'
+    implementation 'org.slf4j:slf4j-simple:1.7.36'
     runtimeOnly "org.codehaus.jettison:jettison:${jettisonVersion}"
     providedCompile "javax.servlet:servlet-api:${servletVersion}"