Log4J Security Update - Githubissues

holodeck-b2b / Holodeck-B2B

Holodeck B2B is an AS4 system-to-system messaging solution that implements the OASIS specifications for ebMS3 and it's AS4 profile. For more information visit the project website

http://holodeck-b2b.org

GNU General Public License v3.0

74 stars 37 forks source link

Log4J Security Update #134

Closed precoder closed 2 years ago

precoder commented 2 years ago

Hello,

There is a CVE for the Log4J 2.17.0: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832

This is also listed on the Log4J main page: https://logging.apache.org/log4j/2.x/

Do you have any plan for updating this dependency and making a new release? I think most of the people are not using any JDBC Appender but static security scanners can be very annoying.

RenateS commented 2 years ago

Dependencies will be updated with the next release which we do not have a date for yet. It appears however that the issue in Log4J is in a part that we do not use in Holodeck B2B. If you want to update Log4J sooner, you can do so by following the procedure described in the weblog on the project website.