Could we get a statement from maintainers about CVE-2021-44228? It's been hard for me to tell whether OneBusAway is vulnerable and, if so, what should be done about it. My current, possibly quite flawed, understanding:
OneBusAway does use Log4J
Only Log4J v1.x is used, which is not necessarily vulnerable like v2.x
Unless the JMS Appender class is used, in which case it is vulnerable like v2.x
If OneBusAway is vulnerable, the formatMsgNoLookups mitigation is not available because the version is too low
Mitigation might therefore require stringent filtering of all possible user-input vectors (HTTP URI's, headers, bodies, etc.)
Even if OneBusAway does not appear vulnerable today, exploits tend to expand. It's only been 48 hours.
Consquently, it would be great to hear from some maintainers about their thoughts and plans.
Could we get a statement from maintainers about CVE-2021-44228? It's been hard for me to tell whether OneBusAway is vulnerable and, if so, what should be done about it. My current, possibly quite flawed, understanding:
formatMsgNoLookups
mitigation is not available because the version is too lowConsquently, it would be great to hear from some maintainers about their thoughts and plans.