vikmaksymenko
commented
2 years ago @RaiMan , according to https://nvd.nist.gov/vuln/detail/CVE-2021-4104, Log4j 1.2 is also vulnerable. Can you please update the dependencies?
Open RaiMan opened 2 years ago
vikmaksymenko
commented
2 years ago @RaiMan , according to https://nvd.nist.gov/vuln/detail/CVE-2021-4104, Log4j 1.2 is also vulnerable. Can you please update the dependencies?
RaiMan
commented
2 years ago @vikmaksimenko Thanks for the pointer.
As already mentioned: Log4j 1.2 is used as a dependency in one or very few dependencies of SikuliX. Since the attack scenario is very specific (attacker must have write access) and only relevant in very specific Log4j usage (no problem with default config), it is the responsibility of the user of SikuliX, who integrates it in a Java project, to take care about the vulnerability.
I am open for concrete suggestions, what should be changed in the dependencies, to get around the problem.
In doubt you have to forego the usage of SikuliX in Java projects.
The problem is related to log4j 2.x.
Some dependency in SikuliX depends on log4j 1.2.17. So currently there is no need to do anything.
Look here for a very good information on the problem Reading this might help, to check wether your SikuliX usage is relevant with respect to such attack scenarios at all.