jackshirazi
commented
2 months ago Thanks, per the name log4j2-legacy-tests this module only has test code (only src/test/java/... exists in that module) for legacy log4j versions, and is never deployed other than to CI to run tests. The actual log4j dependency in log4j2-ecs-layout/pom.xml is already on 2.17.1
https://github.com/elastic/ecs-logging-java/blob/-/log4j2-legacy-tests/pom.xml
The fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a remote code execution (RCE) attack.