log4j (security vulnerability?)

ma1uta / ma1sd

Federated Matrix Identity Server (formerly fork of kamax/mxisd)

GNU Affero General Public License v3.0

167 stars 55 forks source link

log4j (security vulnerability?) #106

Open beedaddy opened 2 years ago

beedaddy commented 2 years ago

It seems that ma1sd is using log4j:

> jar tf ma1sd.jar | grep log4
> com/mchange/v2/log/log4j2/
> com/mchange/v2/log/log4j2/MLogAppender.class
> com/mchange/v2/log/log4j/
> com/mchange/v2/log/log4j/Log4jMLog$Log4jMLogger.class
> com/mchange/v2/log/log4j2/Log4j2MLog$Log4jMLogger.class
> com/mchange/v2/log/log4j2/Log4j2MLog.class
> com/mchange/v2/log/log4j/Log4jMLog.class

Due to the known security vulnerability of log4j, is there a quick patch in sight?

tulir commented 2 years ago

Those are just an adapter that won't work without log4j installed. ma1sd uses slf4j for logging: https://github.com/ma1uta/ma1sd/blob/master/build.gradle#L91-L92