Closed JerryZhang0929 closed 2 years ago
SumanSwati
commented
2 years ago I already see this issue has been merged as part of this commit: https://github.com/SAP/cloud-security-xsuaa-integration/pull/749/files When is the plan to have the next release?
nenaraab
commented
2 years ago Dear @JerryZhang0929 and @SumanSwati
thanks a lot for reporting it!
Actually, I've checked already yesterday and according to this Spring blog post, there is no issue in log4j-to-slf4j and log4j-api...
Only applications using
log4j-coreand including user input in log messages are vulnerable.
Still, I 'm going to release it now, so everyone who uses one of our spring starters can upgrade.
JerryZhang0929
commented
2 years ago Thank you very much for the information.
nenaraab
commented
2 years ago release 2.11.6 is available - but as said, an upgrade is not required. ==> update 2.11.6 seems to be corrupt, will release a new version by end of this week.
As you might know, log4j has a big vulnerability. We use project template provided SAP Cloud SDK library. Inside the project, by default, the xsuaa-spring-boot-starter is included and the version is 2.11.0. When I run mvn dependency:tree, I can see the log4j-to-slf4j is used which contains log4j-api:jar:2.14.1.
[INFO] +- com.sap.cloud.security.xsuaa:xsuaa-spring-boot-starter:jar:2.11.5:compile [INFO] | +- com.sap.cloud.security.xsuaa:spring-xsuaa:jar:2.11.5:compile [INFO] | | +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.14.1:compile [INFO] | | | - org.apache.logging.log4j:log4j-api:jar:2.14.1:compile
Is there any impact on the application running on SAP BTP, Cloud Foundry environment?