Investigate if log4j vulnerability affects the latest version of OpenWIS

[solson-nws]

Recently, Log4J CVE-2021-44228 showed up as a exploitable risk. The dependency links to the most impossible of components to upgrade: OpenAM-13.0.0. / OpenAM-12.0.0. The vulnerability affects log4j versions 2.0.1 to 2.14.

Upon investigation, it turns out that OpenWIS uses a much older version of log4j. See below:

OpenWIS Dependencies:

find . -name *.pom -exec grep log4j {} \; -print

1.2.16 log4j-over-slf4j ./openwis-libs/libs/13.0.0/openam-13.0.0.pom log4j log4j ./openwis-libs/libs/pvalsecc-0.9.2.pom 1.2.16 log4j log4j ${log4j.version} OpenWIS uses version 1.2.16 of log4j, which is not vulnerable. The NWS continues to investigate, but it appears OpenWIS is not vulnerable to this log4j exploit

[solson-nws]

log4j did not affect the OpenWIS software stack. The verison of log4j in play for OpenWIS doesn't fall within the affected range of log4j that was vulnerable