-
Notifications
You must be signed in to change notification settings - Fork 88
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update log4j library #589
Comments
From build.gradle I can see this is using log4j 1, not log4j2 which is affected. |
Yes, you are right, it uses log4j 1.x. But I haven't found any official statement that log4j 1.x is NOT vulnerable at this point. Besides, there are other security gaps in log4j 1.x that could be patched along the way. Update: there is a statement from Apache according log4j 1.x. On the one hand, in the general part of the document it states that log4j 1.x was not tested against vulnerabilities that became known after 2015 and, on the other hand, that it can be vulnerable through CVE-2021-44228 if a JMSAppender is used. If anyone can give a clear statement, we can forget the CVE-2021-44228 thing and update the library for the other security reasons only. |
I have started upgrade to Log4j2. Library was used to parse serialized/XML log4j events and connect to SocketHubAppender. Log4j was not used for internal logging. It means that app is not affected by was not affected by CVE-2021-44228 |
@otrebski, thank you for clarifying this and upating to log4j2 |
Please update the included log4j library to get rid of security issues like https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance
The text was updated successfully, but these errors were encountered: