[ 
https://issues.apache.org/jira/browse/AXIS2-6020?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17464666#comment-17464666
 ] 

Robert Lazarski commented on AXIS2-6020:
----------------------------------------

I am going to close this issue because it is a duplicate of AXIS2-6017, see 
that issue for an explanation of actions to take.

This issue was a zero day exploit and happened around two weeks ago. There have 
been three releases from Log4j2. In git, The Axis2 pom.xml was updated the same 
day of every release. 

There will be a release soon though considering most people have already taken 
action and it is so close to the holidays, we are catching up on other issues 
and plan to release early next year.

 

> Patch for CVE-2021-44228
> ------------------------
>
>                 Key: AXIS2-6020
>                 URL: https://issues.apache.org/jira/browse/AXIS2-6020
>             Project: Axis2
>          Issue Type: Bug
>    Affects Versions: 1.8.0
>            Reporter: Siva Gopal
>            Priority: Critical
>              Labels: security-issue
>
> With Axis2 v1.8.0, you are shipping log4j-api-2.14.1.jar and 
> log4j-core-2.14.1.jar files. So could you please throw some light on what is 
> the roadmap to address the recent log4j 2 vulnerability: CVE-2021-44228 and 
> any such previous vulnerabilities (E.g: CVE-2021-45105, CVE-2021-4104 etc.) 
> or are the shipped DLLs are already patched against the vulnerability? Or 
> please provide details on if we can replace shipped log4j jar files with 
> latest patch jars before deploying our applications or any alternative?
> Thanks!



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org

Reply via email to