[
https://issues.apache.org/jira/browse/LOGGING-180?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17507686#comment-17507686
]
Joshua Eng commented on LOGGING-180:
------------------------------------
According to the MVN Repository site, the log4j 1.2.17 dependency is being
flagged with 4 CVE vulnerabilities:
[https://mvnrepository.com/artifact/log4j/log4j/1.2.17]. The main issue here is
that any log4j version under 2.17.0 is considered vulnerable by many
organizations and governments.
For my team, the computer security arm of our IT department is cracking down
hard on any vulnerable log4j dependencies. Right now our servers are
periodically being scanned for any traces of POM or JAR files from these
vulnerable log4j dependencies. Any servers found with these files are subject
to be shutdown or pulled from the network. It would be very helpful to
implement support for log4j 2.17.0 and above, or any other non-vulnerable
logging library.
> Upgrade commons logging log4j dependency versions to 2.17.0 and above
> ---------------------------------------------------------------------
>
> Key: LOGGING-180
> URL: https://issues.apache.org/jira/browse/LOGGING-180
> Project: Commons Logging
> Issue Type: Bug
> Affects Versions: 1.1.1, 1.2
> Reporter: Swyrik Thupili
> Priority: Major
>
> Please update the log4j 2 version to the log4j 2.17.0 and above. As the
> current versions are susceptible to
> [CVE-2021-44832|https://github.com/advisories/GHSA-8489-44mv-ggj8] Security
> Vulnerability.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
