Open bepe1965 opened 2 years ago
herve91
commented
2 years ago Hi, My plugins effectively do use Log4J to generate their log files. Nevertheless, the vulnerability concerns Log4J release 2 but I am using Log4J release 1. So I confirm that none of my plugins are concerned by the vulnerability. Best regards
bepe1965
commented
2 years ago Hi Herve91
thanks you for your quick reply.
I asked one of our security experts - and he came back with the following answer:
I can see that log4j-1.2.17.jar is being used - and this is vulnarable (See the link below) https://www.cvedetails.com/cve/CVE-2019-17571/
He adviced against using this version.
Do you have any plans to update to the latest version - or perhaps advice on if the above version is safe to use in this context.
Thanks in advance.
herve91
commented
2 years ago You might have been clearer in your first post ;)
I was refering to the exploit that has been released last December (https://www.cvedetails.com/cve/CVE-2021-44228) that does not concern Log4J release 1.
This said, I'm using an old version of Log4J but that has got few advantages: it is simple to configure and to use and I unfortunately do not have time to replace it soon.
But as my plugins are open sources, please do not hesitate to contribute. You may do it yourself or ask your dev team to do it ;)
Best regards
Hi
I am not technical expert - but noted that there is reference to LOG4J in the code.
Just wanted to ask if there is any risk regarding the log4j vulnerability that have been exposed ?
Can it be confirmed that this do not apply to the snow-import-plugin ?
Thanks in advance.