rfoltyns / log4j2-elasticsearch

Log4j2 Elasticsearch Appender plugins
Apache License 2.0
174 stars 46 forks source link

Log4j2 Zero-Day vulnerability (CVE-2021-44228) #79

Closed rfoltyns closed 2 years ago

rfoltyns commented 2 years ago

Since all modules this repo depend on Log4j2 libraries in provided scope, adding this library to your POM file will NOT add affected libraries to your production code unless you're packaging your application with provided transitive dependencies explicitly. This decision was made at the beginning of this project to enforce you to fully control Log4j2 libraries landing on your classpath.

Regardless of the above decision, new version will be released later today (retaining provided scope) including dependency on 2.15.0 in order to indicate a patched Log4j2 version. It will NOT make your application free of this vulnerability!

Please use following command to locate a source of vulnerable log4j-core library and replace it with version 2.15.0 or newer.

mvn dependency:tree -Dverbose -Dincludes=org.apache.logging.log4j:log4j-core

and follow Log4j Project recommendations

All Log4j2 dependencies should be listed explicitly in your POM file unless other dependencies e.g. org.springframework.boot:spring-boot-starter-log4j2 or other lots.of.transitive.compile:convenience libraries have them in compile scope.

rfoltyns commented 2 years ago

1.5.4 released

rfoltyns commented 2 years ago

Log4j2 release frenzy continues.. 1.5.5 was just released with dependency on Log4j2 2.17.1.