Log4j Security Vulnerabilities

Netflix / photon

Photon is a Java implementation of the Interoperable Master Format (IMF) standard. IMF is a SMPTE standard whose core constraints are defined in the specification st2067-2:2013

Apache License 2.0

234 stars 76 forks source link

Log4j Security Vulnerabilities #298

Open ss207210 opened 2 years ago

ss207210 commented 2 years ago

Photon is using log4j-1.2.17 version. IS Netflix is going to provide any patch for it ?

cconcolato commented 2 years ago

Thank you for the issue. The understanding is that Photon is not affected by the Log4Shell vulnerability, because of the version that is used. However, that version is quite old, therefore we are in the process of migrating to the latest Log4J version (2.16), see https://github.com/Netflix/photon/pull/299

troykelly commented 2 years ago

In case somebody ends up here looking for clarification - 1.2.17 is vulnerable in certain configurations. This will need to be mitigated in some way.