aaron-kumar
commented
2 years ago Yes @RvanMaarenApro that is correct. Oxalis and Oxalis-AS4 are using logback as logging framework (Though there is reference of "slf4j-log4j12" in vefa-peppol but log4j 1.x version is Not affected by CVE-2021-44228 vulnerability)
In order to clear doubts and spread detailed information, I created discussion: https://github.com/OxalisCommunity/oxalis/discussions/559 . In case of confusion, we can discuss there. I am closing this ticket as this is not an issue.
Hi Aarun,
With regards to the log4j vulnerability, this is not used by oxalis right ? I checked the pom but did not find any reference to it.
Regards,
Richard