This is fixed in the Axis2 git repo as we switched entirely to log4j2. On Fri, Feb 26, 2021 at 1:42 AM Andrew Marlow <[email protected]> wrote:
> Hello everyone, > > I have noticed that axis2 depends on log4j version 1 and spring framework > 2.5.1. These have significant CVEs. Are there any plans for axis2 to move > off these vulnerable components please? > > log4j-v1 > Apache Axis2 - Transport - testkit > Apache Axis2 - tool - WSDL2Code Maven Plugin > > spring-core-2.5.1 > Apache Axis2 - spring > -- > Regards, > > Andrew Marlow > http://www.andrewpetermarlow.co.uk > >
