Closed fdevans closed 2 years ago
ljkimmel
commented
2 years ago @fdevans is there any plan to implement this change? We are using this plugin but there are multiple HIGH/CRITICAL CVEs associated with Log4j v1.2.x:
CVE-2021-4104, CVE-2019-17571, CVE-2020-9488, CVE-2022-23302, CVE-2022-23305, CVE-2022-23307
ljkimmel
commented
2 years ago I see that slf4j is actually being used since version 1.5.15. I'm not a Java dev but, from what I gather, this is just an abstraction that allows the actual logging implementation to be selected at deployment time based on which framework's binding? is on the classpath. Is the effect of this that the logger that ends up being used the one provided by Rundeck itself? If so could the log4j-1.2.x jar be removed from this plugin?
fdevans
commented
2 years ago You're correct, the latest version is using Slf4j. Log4J shouldn't be part of the latest package. Do you have scans of the latest build that say otherwise?
ljkimmel
commented
2 years ago Maybe not. I was still using 1.5.13 when I placed this comment. As I was waiting for a reply I installed 1.7.0 and did some testing. Previously, I saw the Log4j 1.2.15 jar file under libext/cache. I just verified that, with plugin v1.7.0, I no longer see the log4j jar. I just assumed it would be included since I still see it in this repo under third-party. I also extracted the latest jar file and it's not in there.
fdevans
commented
2 years ago 👍
https://github.com/rundeck-plugins/rundeck-ec2-nodes-plugin/blob/cd105407bf09d61a925557c460e20c090967ca19/build.gradle#L64
Please update to slf4j to align with 3.3.x+ series capabilities.