rrarrarra
commented
2 years ago - The log4j-vulnerability belongs to "log4j Versions Affected: all versions from 2.0-beta9 to 2.14.1" which is described here: https://logging.apache.org/log4j/2.x/security.html
There is also written, that the mitigation would be:
- In releases >=2.10, ...
- For releases from 2.0-beta9 to 2.10.0, remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
--> Which gave me indirectly the information, that the "vulnerability" is placed in the "org/apache/logging/log4j/core/lookup/JndiLookup.class".
Ok, this is what I have done right now to check, if my app uses "log4j" (or at least if it has included this class):
- I build a "fat jar" of my app via "maven package"
- I extracted all files from within that jar into an folder in my filesystem
- I searched in that folder for "log4j"
... I did not find the path "org/apache/logging/log4j" and also no class named "JndiLookup.class" in that path.
Which, indirectly should mean, that my ninja-app is not affected to this specific "security vulnerability"?
Thanks for help and best regards
jjlauer
Hi,
currently there is a "Critical New 0-day Vulnerability in Popular Log4j Library".
Now my question is, if this is (or could be) a problem for applications running with the "ninja-framework Version 6.2.0"?
I am also not sure, if the ninja-framework (or some of its dependencies) uses "log4j"?
I have found, that ninja uses "log4j-over-slf4j" but I am not familiar with these libraries in detail, so, maybe some of you or the core-developers could help out here or give a small hint, if something needs to be updated or done, or if ninja-apps are safe regarding this vulnerability and nothing needs to be done.
Or how to check, if the application, that uses the ninja-framework, is "safe" regarding "Critical New 0-day Vulnerability in Popular Log4j Library"?
Many thanks and best regards