Upgrade log4j2 dependency to 2.15.0 or later.
afs opened this issue · 4 comments
afs commented
Upgrade log4j2 dependency to 2.15.0 or later.
afs commented
log4j 2.16.0 is now available.
It is not a security release but it does completely removed the feature the vulnerability exploits.
HolgerKnublauch commented
Thanks, Andy.
afs commented
Update: There is now a "moderate" vulnerability in log4j 2.15.0 which is fixed by log4j 2.16.0.
CVE-2021-45046.
VonUniGE commented
- Log4j 2.16.0 is vulnerable to CVE-2021-45105.
- Log4j 2.17.0 is vulnerable to CVE-2021-44832.
Log4j should be updated to 2.17.1.