jgaffuri
commented
2 years ago Dears, Searoute does not use log4j directly, but through one of its main dependencies, Geotools. But note that Geotools is based on log4J version 1, which is totally different from log4J2 and does not seem to suffer from the important vulnerabilities discovered recently. For more info, see the release note here: http://geotoolsnews.blogspot.com/2021/12/geotools-254-released.html
naveenrk
@chillax @jgaffuri
Following imports have been found
SeaRouting.java import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger;
MarnetBuilding.java import org.apache.logging.log4j.Level; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.core.config.Configurator;
and couldn't find any reference of log4j in pom.xml
Can you help us to identify and resolve the vulnerability.