JarvisCraft
commented
1 year ago @incubos, just a friendly reminder on this PR :)
Closed JarvisCraft closed 1 year ago
JarvisCraft
commented
1 year ago @incubos, just a friendly reminder on this PR :)
Description
Log4j v1 and transitively Apache Commons Logging are subjects to multiple CVEs (namely CVE-2022-23307, CVE-2022-23305, CVE-2022-23302, CVE-2021-4104, CVE-2019-17571) and both libraries have not been updated since the years 2012 and 2014 respectively.
This PR replaces them with the usage of slf4j which is more universal (being just a common API for various loggers) and less vulnerable to potential attacks (again, being just an API).
It's worth mentioning that its v1 is used although v2 has been released about a year agi which is due to API v2 not yet being stable enough and as well supported as v1 is.