[jira] [Updated] (AXIS2-6020) Remediation for CVE-2021-44228

Thu, 23 Dec 2021 03:35:07 -0800 


     [ 
https://issues.apache.org/jira/browse/AXIS2-6020?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Siva Gopal updated AXIS2-6020:
------------------------------
    Description: 
With Axis2 v1.8.0, you are shipping log4j-api-2.14.1.jar and 
log4j-core-2.14.1.jar files. So could you please throw some light on what is 
the roadmap to address the recent log4j 2 vulnerability: CVE-2021-44228 and any 
such previous vulnerabilities (E.g: CVE-2021-45105, CVE-2021-4104 etc.) or are 
the shipped DLLs are already patched against the vulnerability? Or please 
provide details on if we can replace shipped log4j jar files with latest patch 
jars before deploying our applications or any alternative?

Thanks!

  was:
With Axis2 v1.8.0, you are shipping log4j-api-2.14.1.jar and 
log4j-core-2.14.1.jar files. So could you please throw some light on what is 
the roadmap to address the recent log4j 2 vulnerability: CVE-2021-44228 and any 
such previous vulnerabilities (E.g: CVE-2021-45105, CVE-2021-4104 etc.) or are 
the shipped DLLs are already patched against the vulnerability? Or please 
provide details on if we can replace shipped log4j jar files with latest patch 
jars before deploying our applications?

Thanks!


> Remediation for CVE-2021-44228
> ------------------------------
>
>                 Key: AXIS2-6020
>                 URL: https://issues.apache.org/jira/browse/AXIS2-6020
>             Project: Axis2
>          Issue Type: Improvement
>    Affects Versions: 1.8.0
>            Reporter: Siva Gopal
>            Priority: Critical
>
> With Axis2 v1.8.0, you are shipping log4j-api-2.14.1.jar and 
> log4j-core-2.14.1.jar files. So could you please throw some light on what is 
> the roadmap to address the recent log4j 2 vulnerability: CVE-2021-44228 and 
> any such previous vulnerabilities (E.g: CVE-2021-45105, CVE-2021-4104 etc.) 
> or are the shipped DLLs are already patched against the vulnerability? Or 
> please provide details on if we can replace shipped log4j jar files with 
> latest patch jars before deploying our applications or any alternative?
> Thanks!



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org

Reply via email to