[
https://issues.apache.org/jira/browse/AXIS2-5857?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17489006#comment-17489006
]
Andrew Peter Marlow commented on AXIS2-5857:
--------------------------------------------
I understand that it is not exposed to the vulnerabilities that everyone is
talking about. However, if the pom contains a reference to it then as far as
automated tools are concerned there is a dependency on a vulnerable component.
The Mgmt (TM) of some companies are using these tools without engaging their
brains and will thus say that axis2 is exposed via its dependency on log4j1. It
is no good trying to use reason and logic to make the argument with these
people. So, to silence them I think it would be good to remove the dependency.
The top level pom contains the dependency log4j-1.2-api at line 744. The same
dependency is in modules/transport/jms/pom.xml at line 87.
> Log4j 1.x has reached EOL
> --------------------------
>
> Key: AXIS2-5857
> URL: https://issues.apache.org/jira/browse/AXIS2-5857
> Project: Axis2
> Issue Type: Improvement
> Affects Versions: 1.7.5
> Reporter: spoorti
> Priority: Minor
>
> The log4j 1.x has reached EOL. Even the latest release version of Axis2
> contains the 1.x version of the log4j.
> It need to be upgraded to 2.8.2 or higher since the other 2.x versions has
> vulnerability reported.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org
