๐ gaia using a vunerable verison of log4j2
rknechtel opened this issue ยท 1 comments
rknechtel commented
Describe the bug
After doing an effective-pom I discovered gaia is using a vulnerable version of log4j2.
<log4j2.version>2.13.3</log4j2.version>
To Reproduce
Steps to reproduce the behavior:
- run:
mvn help:effectiv-pom - look for lof4j2.version.
- See vulnerable version number.
Expected behavior
log4j2 version should be at lest 2.17.1 or greater.
Additional context
This makes gaia a vulnerable application.
This is version of log4j2 is coming from:
org.springframework.boot
spring-boot-starter-data-mongodb
It will mean gaia will need to updated from Spring Boot 2.4.2 to 2.6.4.
Reference:
https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance
https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core
leslie-alldridge commented
Yikes!!