[ https://issues.apache.org/jira/browse/LOGGING-180?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17507695#comment-17507695 ]
Bernd Eckenfels commented on LOGGING-180: ----------------------------------------- Some humans and tools wrongly flag 1.2 as affected by the 2.x CVEs, but that’s not the actual problem. The actual problem is that 1.2.17 has many known/unresolved CVEs on its own (remotely related to log4shell). That could be fixed with reload4j 1.2.18 or by migrating to log4j 2 (which is funny enough strange to migrate to a branch which caused the biggest security incident in history in order to claim its more secure :) I think it is important to keep known CVEs out of toolchains, even when it is only a build dependency. But it’s not a high prio, especially if it is 10 dependencies deep… > Upgrade commons logging log4j dependency versions to 2.17.0 and above > --------------------------------------------------------------------- > > Key: LOGGING-180 > URL: https://issues.apache.org/jira/browse/LOGGING-180 > Project: Commons Logging > Issue Type: Bug > Affects Versions: 1.1.1, 1.2 > Reporter: Swyrik Thupili > Priority: Major > > Please update the log4j 2 version to the log4j 2.17.0 and above. As the > current versions are susceptible to > [CVE-2021-44832|https://github.com/advisories/GHSA-8489-44mv-ggj8] Security > Vulnerability. -- This message was sent by Atlassian Jira (v8.20.1#820001)