[
https://issues.apache.org/jira/browse/MRM-2025?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17461005#comment-17461005
]
Martin Stockhammer commented on MRM-2025:
-----------------------------------------
I consider the risk low here. As the vulnerability can only be exploited, if
the configuration uses certain configuration patterns, and the code must be
placed in the MDC. We will already changed the log4j version to 2.16.0 for the
next release, which will be available not too far in the future, but we are not
releasing immediately.
> Update to log4j 2.16.0 (CVE-2021-45046)
> ---------------------------------------
>
> Key: MRM-2025
> URL: https://issues.apache.org/jira/browse/MRM-2025
> Project: Archiva
> Issue Type: Dependency upgrade
> Components: Audit Logging
> Affects Versions: 2.2.6
> Reporter: Robert Velter
> Priority: Major
>
> log4j 2.15.0 is not enough to fully mitigate CVE-2021-44228.
> See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
> Best regards, Robert
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
