Update log4j library #589
Comments
|
From build.gradle I can see this is using log4j 1, not log4j2 which is affected. |
|
Yes, you are right, it uses log4j 1.x. But I haven't found any official statement that log4j 1.x is NOT vulnerable at this point. Besides, there are other security gaps in log4j 1.x that could be patched along the way. Update: there is a statement from Apache according log4j 1.x. On the one hand, in the general part of the document it states that log4j 1.x was not tested against vulnerabilities that became known after 2015 and, on the other hand, that it can be vulnerable through CVE-2021-44228 if a JMSAppender is used. If anyone can give a clear statement, we can forget the CVE-2021-44228 thing and update the library for the other security reasons only. |
|
I have started upgrade to Log4j2. Library was used to parse serialized/XML log4j events and connect to SocketHubAppender. Log4j was not used for internal logging. It means that app is not affected by was not affected by CVE-2021-44228 |
|
@otrebski, thank you for clarifying this and upating to log4j2 |
Please update the included log4j library to get rid of security issues like https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance
The text was updated successfully, but these errors were encountered: