search

ebics-java / ebics-java-client

Java open source EBICS client - Support for French, German and Swiss banks
GNU Lesser General Public License v2.1
36 stars 35 forks source link

Upgrade of Log4j? #28

Closed cyrilfr closed 2 years ago

cyrilfr commented 2 years ago

Due to the critical Log4j Security Vulnerability, is there any plan to upgrade Log4j or replace it with another logging framework?

uwemaurer commented 2 years ago

I plan to upgrade to the latest version of log4j 2.

Please note that currently the ebics library uses the very outdated log4j 1.x library, therefore it does not have the vulnerable code, which was only added later in log4j 2.

Also there is currently no risk since this ebics library does not log any strings which contain user input. Only messages like this:

    configuration.getLogger().info(messages.getString("user.create.info", userId));

where the strings come from the own configuration files.

Nevertheless the logging library should be upgraded to the latest version.

cyrilfr commented 2 years ago

OK thank you for your feedback :)