[
https://issues.apache.org/jira/browse/LOGGING-180?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17507695#comment-17507695
]
Bernd Eckenfels commented on LOGGING-180:
-----------------------------------------
Some humans and tools wrongly flag 1.2 as affected by the 2.x CVEs, but that’s
not the actual problem. The actual problem is that 1.2.17 has many
known/unresolved CVEs on its own (remotely related to log4shell). That could be
fixed with reload4j 1.2.18 or by migrating to log4j 2 (which is funny enough
strange to migrate to a branch which caused the biggest security incident in
history in order to claim its more secure :)
I think it is important to keep known CVEs out of toolchains, even when it is
only a build dependency. But it’s not a high prio, especially if it is 10
dependencies deep…
> Upgrade commons logging log4j dependency versions to 2.17.0 and above
> ---------------------------------------------------------------------
>
> Key: LOGGING-180
> URL: https://issues.apache.org/jira/browse/LOGGING-180
> Project: Commons Logging
> Issue Type: Bug
> Affects Versions: 1.1.1, 1.2
> Reporter: Swyrik Thupili
> Priority: Major
>
> Please update the log4j 2 version to the log4j 2.17.0 and above. As the
> current versions are susceptible to
> [CVE-2021-44832|https://github.com/advisories/GHSA-8489-44mv-ggj8] Security
> Vulnerability.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
