Recently, Log4J CVE-2021-44228 showed up as a exploitable risk. The dependency links to the most impossible of components to upgrade: OpenAM-13.0.0. / OpenAM-12.0.0. The vulnerability affects log4j versions 2.0.1 to 2.14.
Upon investigation, it turns out that OpenWIS uses a much older version of log4j. See below:
OpenWIS Dependencies:
find . -name *.pom -exec grep log4j {} \; -print
1.2.16log4j-over-slf4j
./openwis-libs/libs/13.0.0/openam-13.0.0.pom
log4jlog4j
./openwis-libs/libs/pvalsecc-0.9.2.pom
1.2.16log4jlog4j${log4j.version}
OpenWIS uses version 1.2.16 of log4j, which is not vulnerable.
The NWS continues to investigate, but it appears OpenWIS is not vulnerable to this log4j exploit
log4j did not affect the OpenWIS software stack. The verison of log4j in play for OpenWIS doesn't fall within the affected range of log4j that was vulnerable
Recently, Log4J CVE-2021-44228 showed up as a exploitable risk. The dependency links to the most impossible of components to upgrade: OpenAM-13.0.0. / OpenAM-12.0.0. The vulnerability affects log4j versions 2.0.1 to 2.14.
Upon investigation, it turns out that OpenWIS uses a much older version of log4j. See below:
OpenWIS Dependencies:
find . -name *.pom -exec grep log4j {} \; -print