Open jbgosset opened 2 years ago
Hi!
Good question! Here's my take on things: since LRMixStudio uses Log4j 1.2.17 and the default configuration does not enable the JMSAppender, neither CVE-2021-44228 nor its 'successor' CVE-2021-45046 are applicable. Given the rapid succession of CVE's for the log4j framework and the noises I get from my IT people, I'm holding off on updating to the log4j 2.x branch until things have quieted down a bit.
So in short: I'd rather not update right now as we're not immediately vulnerable and updating may actually introduce vulnerabilities.
Regards, Jeroen
Hi,
Would it be possible to upgrade the Log4j version to 2.16.0?