The Apache Struts group is pleased to announce that Struts 2.5.28.3 is
available as a "General Availability"
+release. The GA designation is our highest quality grade.
+
+This release addresses Log4j vulnerability
CVE-2021-44832
+by using the latest Log4j ver. 2.12.4 (Java 1.7 compatible).
+
+Please note, that the Apache Struts itself depends on the log4j-api
package only, it's users' responsibility
+to use a proper version of the log4j-core package!
Internal Changes
(warning) Log4j has been upgrade to version 2.12.4 to address security vulnerability CVE-2021-44832, more details can be found on the Log4j page.
Please note, that the Apache Struts itself depends on the log4j-api package only, it's users' responsibility to use a proper version of the log4j-core package!
Product vendor
Apache
Product name
Struts 2
Context
The Apache Struts group is pleased to announce that Struts 2.5.28.3 is available as a "General Availability" +release. The GA designation is our highest quality grade. + +This release addresses Log4j vulnerability CVE-2021-44832 +by using the latest Log4j ver. 2.12.4 (Java 1.7 compatible). + +Please note, that the Apache Struts itself depends on the
log4j-apipackage only, it's users' responsibility +to use a proper version of the log4j-core package!https://www.mail-archive.com/commits@struts.apache.org/msg18376.html https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.28.3
Product version(s)
everything before 2.5.28.3
Product status
Fixed
Product update
Available
Product update link
https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.28.3
Last updated
2021-12-30
Notes
Internal Changes (warning) Log4j has been upgrade to version 2.12.4 to address security vulnerability CVE-2021-44832, more details can be found on the Log4j page.
Please note, that the Apache Struts itself depends on the log4j-api package only, it's users' responsibility to use a proper version of the log4j-core package!
References
No response