Closed ctrueden closed 2 years ago
This issue has been mentioned on Image.sc Forum. There might be relevant details there:
https://forum.image.sc/t/is-imagej-affected-by-cve-2021-44228/60968/11
As of b5a043e7634022a3434a408ad95822f1092af07f, the SciJava component collection is free of log4j dependencies. As soon as pom-scijava 32.0.0 is released, downstream components with lingering log4j dependencies should update their parent version, remove log4j as direct dependency if needed, and fix any other dependency issues leading to log4j coming in transitively. If log4j 1.x functionality is still a requirement, pom-scijava now manages reload4j, so components needing it can swap it in in place of log4j.
Both log4j v1 (log4j:log4j) and log4j v2 (org.apache.logging.log4j:log4j-core) have had security issues. The following repositories (at least) should be checked:
And migrate logging to SLF4J as appropriate.