[
https://issues.apache.org/jira/browse/AXIS2-6017?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458049#comment-17458049
]
Robert Lazarski commented on AXIS2-6017:
----------------------------------------
The department of homeland security in the USA has made a statement about the
vulnerability. Because of that, CNN is now made the issue mainstream.
With that type of attention it is untenable to continue distributing these
flawed jars with Axis2.
The is a zero day exploit. End users should update their lib directory with the
2.15.0 version of the jars ASAP.
We will release Axis2 with the updated jars soon. We likely will do an Axiom
release first since it has the same problem. We are all volunteers so there is
no ETA.
No one should wait; build from source or manually update your log4j2 jars now
if you have not done so.
The Axis2 Java repo is now updated with the latest log4j2 jars. The unit tests
passed.
git clone https://github.com/apache/axis-axis2-java-core.git
> Is Axis2 vulnerable to Log4shell?
> ---------------------------------
>
> Key: AXIS2-6017
> URL: https://issues.apache.org/jira/browse/AXIS2-6017
> Project: Axis2
> Issue Type: Bug
> Affects Versions: 1.8.0
> Reporter: Maarten Engels
> Priority: Major
> Labels: Security
>
> We all recently learned about the Log4j vulnerability “Log4shell”. As the
> axis framework uses Log4j, is axis vulnerable? Do you have any mitigation
> available?
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org
