Log4J vulnerability (CVE-2021-44228)

[ethanpooley]

Could we get a statement from maintainers about CVE-2021-44228? It's been hard for me to tell whether OneBusAway is vulnerable and, if so, what should be done about it. My current, possibly quite flawed, understanding:

• OneBusAway does use Log4J
• Only Log4J v1.x is used, which is not necessarily vulnerable like v2.x
• Unless the JMS Appender class is used, in which case it is vulnerable like v2.x
• If OneBusAway is vulnerable, the formatMsgNoLookups mitigation is not available because the version is too low
• Mitigation might therefore require stringent filtering of all possible user-input vectors (HTTP URI's, headers, bodies, etc.)
• Even if OneBusAway does not appear vulnerable today, exploits tend to expand. It's only been 48 hours.

Consquently, it would be great to hear from some maintainers about their thoughts and plans.

[sheldonabrown]

Correct, OneBusAway is still using Log4j 1.2, so appears to be immune.

Please do your own research and make your own decisions, but as I understand the vulnerability it does not affect OBA.