CVE-2021-45046

[bauerjs1]

Hey everyone!

First of all, thank you for updating the log4j dependency so quickly! It seems like log4j v2.15 did not fix all the related security issues¹ (CVE-2021-45046), and there is already v2.16 released to fix this. Are there any plans already to do another dependency update?

Cheers, Johannes

[1] https://www.golem.de/news/log4j-erstes-update-fuer-log4shell-luecke-nicht-vollstaendig-2112-161814.html

[hhund]

Hello @bauerjs1 ,

we have discussed CVE-2021-45046 and concluded, that a hot fix is currently not necessary. Our Pattern Layout neither uses Context Lookups (like, $${ctx:loginId}) nor Thread Context Map patterns (%X, %mdc, or %MDC). We will upgrade to Log4J2 2.16.0 with the next scheduled release.

For the logging patterns of the FHIR Server (v0.5.4) see: https://github.com/highmed/highmed-dsf/blob/v0.5.4/dsf-fhir/dsf-fhir-server-jetty/docker/conf/log4j2.xml For the logging patterns of the BPE Server (v0.5.4) see: https://github.com/highmed/highmed-dsf/blob/v0.5.4/dsf-bpe/dsf-bpe-server-jetty/docker/conf/log4j2.xml