alexkvak
commented
2 years ago Hello @azerioglan
there is no direct dependency from log4j. I see log4j@1.2.12 as deep dependency.
AFAIK CVE-2021-44228 is applied to version range 2.0 <= Apache log4j < 2.15.0.
Anyway there is the best workaround — run TeamCity with arg -Dlog4j2.formatMsgNoLookups=true
azerioglan
Hello @alexkvak I hope you are doing great today. just wanted to double check with you : We're using Teamcity version 2020 with the teamcity-slack plugin version 1.1.8. I just wanted to check if this plugin version is vulnerable to the log4j CVEs?