Log4j vulnerability CVE-2021-44228

Question

Log4j vulnerability CVE-2021-44228

ErikLentz opened this issue 3 years ago · 3 comments

ErikLentz commented 3 years ago

I noticed this project imports log4j. Would it be impacted by CVE-2021-44228?

ErikLentz commented 3 years ago

Thanks!

Answer 1 · 2021-12-14T21:09:55.000Z

I am using the default logging package provided by spring boot and haven't included the affected log4j2 package.

So based on this https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot I am not affected by the CVE.

This project is also wired into the Snyk vulnerability scanner and it has not raised this as an issue.

Answer 2 · 2021-12-14T21:25:53.000Z

Thank you for keeping an eye out for such things.

I expect once I finish work for the year and head into Christmas I should find some time to release a new version. This will include upgrades to the latest jars.