The latest log4j2 is 2.17.1. That's the version used in our pom.xml in git.
1.6.x actually ships with log4j 1.x. The Axis2 release of 1.8.0 shipped log4j2 jars, which unfortunately needs to be patched manually via the latest jars. We'll be releasing 1.8.1 soon that will fix that. On Wed, Jan 26, 2022 at 11:02 AM Malaluan, Jay Joel < jayjoel.malal...@ethoca.com> wrote: > Hi, > > > > During December 2021. There was a log4j wide vulnerability. For reference, > https://logging.apache.org/log4j/2.x/security.html. > > > > At that time our company did some patching to address our vulnerable > components. > > We use a very old version of the axis2.war which is v1.6.x. Based from our > internal scan. It was found that it has axis2/WEB-INF/lib/log4j-1.2.15.jar. > > Our security team's recommended fix should be >= log4j 2.16.0 > > > > Looking at the latest available release in > https://axis.apache.org/axis2/java/core/download.html. > > It's axis2-1.8.0.war. And when I peeked inside. The log4j libraries > versions are still 2.14.1. > > > > WEB-INF/lib/log4j-api-2.14.1.jar > > WEB-INF/lib/log4j-core-2.14.1.jar > > WEB-INF/lib/log4j-jcl-2.14.1.jar > > > > Basing from the site, https://logging.apache.org/log4j/2.x/security.html. > It should be 2.17.0 (for Java 8 and later). > > > > Is there a newer axis2.war release that have the latest 2.17.x log4j > library version? > > > > Thanks. > > > > *Jay Malaluan* > Software Development Engineer II > > Mastercard > [image: signature_1486368188] <http://www.mastercard.com/> > > > > > CONFIDENTIALITY NOTICE This e-mail message and any attachments are only > for the use of the intended recipient and may contain information that is > privileged, confidential or exempt from disclosure under applicable law. If > you are not the intended recipient, any disclosure, distribution or other > use of this e-mail message or attachments is prohibited. If you have > received this e-mail message in error, please delete and notify the sender > immediately. Thank you. >
