[
https://issues.apache.org/jira/browse/AXIS2-6017?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17460339#comment-17460339
]
Robert Lazarski commented on AXIS2-6017:
----------------------------------------
Update: log4j2 has released 2.16.0 and Axis2 has updated our pom.xml.
Users are strongly encouraged to update their jars ASAP. Either update the jar
manually to the latest version or build Axis2 from source as described above.
[~veithen] I'm thinking about doing a release of Axis2 for these updates since
we distribute the problem jars in our Axis2.war that is downloadable from the
our Apache Axis2 site.
Do you agree? Anything you'd like to see going into the release at this stage -
or simply start a vote with the master repo as is?
> Is Axis2 vulnerable to Log4shell?
> ---------------------------------
>
> Key: AXIS2-6017
> URL: https://issues.apache.org/jira/browse/AXIS2-6017
> Project: Axis2
> Issue Type: Bug
> Affects Versions: 1.8.0
> Reporter: Maarten Engels
> Priority: Major
> Labels: Security
>
> We all recently learned about the Log4j vulnerability “Log4shell”. As the
> axis framework uses Log4j, is axis vulnerable? Do you have any mitigation
> available?
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org
