serverless/lib/plugins/create/templates/aws-kotlin-jvm-gradle/build.gradle , because this file have log4j 2.13 version

[JuanBermudezN]

Are you certain it's a bug?

• Yes, it looks like a bug

Is the issue caused by a plugin?

• It is not a plugin issue

Are you using the latest version?

• Yes, I'm using the latest version

Is there an existing issue for this?

• I have searched existing issues, it hasn't been reported yet

Issue description

Hello, good morning, I want to know if you are going to update the version of log4j on the following plugin :plugins/create/templates/aws-kotlin-jvm-gradle/build.gradle , because this file have log4j 2.13 versions:

rg.apache.logging.log4j:log4j-api:2.13.3',
'org.apache.logging.log4j:log4j-core:2.13.3',

thank you.

Service configuration (serverless.yml) content

N/A

Command name and used flags

N/A

Command output

N/A

Environment information

2.69.1

[medikoo]

@JuanBermudezN PR's welcome!

[MarinaMeza]

In the same plugin the version of aws-lambda-java-log4j2 is 1.2.0 and AWS recommends updating to version 1.3.0
Link to AWS doc

[JuanBermudezN]

@JuanBermudezN PR's welcome!

Do you know if updating org.apache.logging.log4j:log4j-api:2.13.3 to org.apache.logging.log4j:log4j-api:2.16.0,
and org.apache.logging.log4j:log4j-core:2.16.0 has a breaking change on this file?

[medikoo]

@JuanBermudezN No, unfortunately I'm not familiar with Java runtime handling

[pgrzesik]

@JuanBermudezN I believe it does not include any breaking changes and we should upgrade it in the templates to 2.16.0 at least - PRs are welcome to address that for all our existing templates. Additionally, as @MarinaMeza pointed out, we should also update aws-lambda-java-log4j2 to 1.4.0 which is now the recommended version by AWS:

Independent of this change, we strongly encourage all customers whose functions include Log4j2 to update to the latest version. Specifically, customers using the aws-lambda-java-log4j2 library in their functions should update to version 1.4.0 and redeploy their functions. This version updates the underlying Log4j2 utility dependencies to version 2.16.0. The updated aws-lambda-java-log4j2 binary is available at the Maven repository and its source code is available in Github.

PRs for that change would also be very welcome 🙇

[MarinaMeza]

I created a PR for the AWS upgrade only since there's another PR for updating the other two dependencies

[pgrzesik]

Hello @varun73 and @MarinaMeza - there seems to be a bit of overlap between your corresponding PRs - I don't want any of you stepping on each others toes, could we agree what part each of you would like to cover? That way we could avoid unnecessary work when both of you cover the same thing.

[varun73]

Hi @pgrzesik , I can revert back aws library changes and only keep the apache log4j changes. @MarinaMeza Has covered all the aws log4j changes.

[pgrzesik]

That would be great @varun73 - sorry for the confusion and big thanks to both of you for addressing this 🙇

[varun73]

@pgrzesik No problem, I have reverted the aws library change. There should be no overlap now.

[JuanBermudezN]

They found a new vulnerability in version 2.16.0, there is a new update for the log4j, 2.17.0, also a new version of the aws-lambda-java-log4j2 to 1.5.0, I will try to make the PR to the repository.

[JuanBermudezN]

@pgrzesik Hello, good afternoon, one question, do you know when you are going to launch a new release with the log4j changes?
thank you.

[pgrzesik]

Hello @JuanBermudezN - it should be released sometime this week

[yyamano]

@pgrzesik Cloud you close the issue?
I can't find any reasons for keeping it open. The pull request is merged and the change is already released.

[pgrzesik]

Sure, thanks for bringing this up @yyamano 👍