[
https://issues.apache.org/jira/browse/LOGGING-180?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17502913#comment-17502913
]
Gilles Sadowski commented on LOGGING-180:
-----------------------------------------
The [CVE page|https://github.com/advisories/GHSA-8489-44mv-ggj8] linked to, in
the description, refers to
{noformat}
org.apache.logging.log4j:log4j-core
{noformat}
while the version being referred to, in the second comment, refers to
{noformat}
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
{noformat}
This (optional) dependency is not subject to the mentioned vulnerability (cf.
versions ranges in the CVE page).
Please close this issue, or provide more details about what "is causing
security errors".
{quote}causing false positives by scanners
{quote}
Isn't the bug there?
> Upgrade commons logging log4j dependency versions to 2.17.0 and above
> ---------------------------------------------------------------------
>
> Key: LOGGING-180
> URL: https://issues.apache.org/jira/browse/LOGGING-180
> Project: Commons Logging
> Issue Type: Bug
> Affects Versions: 1.1.1, 1.2
> Reporter: Swyrik Thupili
> Priority: Major
>
> Please update the log4j 2 version to the log4j 2.17.0 and above. As the
> current versions are susceptible to
> [CVE-2021-44832|https://github.com/advisories/GHSA-8489-44mv-ggj8] Security
> Vulnerability.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
