Log4j vulnerabilites
philippe-granet opened this issue · 3 comments
Description of the Issue
Log4j 1.x has reached End of Life in 2015 and is no longer supported. Vulnerabilities reported after August 2015 against Log4j 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2 to obtain security fixes.
Our security team declared this file as potentialy vulnerable: jailer/lib/log4j.jar
Could you upgrade this library?
Yes you are right. Log4j 1 is very outdated. On the other hand, this version of log4j still meets all the requirements for this tool, so updating it wouldn't bring any improvement for the time being, or are there drawbacks I'm overlooking now?
Our security team ask us (thousands employees) to remove all log4j 1.x from our computers, because it is outdated and potentialy vulnerable:
https://nvd.nist.gov/vuln/detail/CVE-2021-4104
Logging has been migrated to SLF4J, with log4j2 2.17.2 as the logging framework. (Release 12.3)