Yes, upgrading to 2.17.1 will work on Axis 1.8.0.
We are all volunteers so we have no ETA besides it will go out soon.
On Wed, Jan 26, 2022 at 11:21 AM Malaluan, Jay Joel <
jayjoel.malal...@ethoca.com> wrote:
> Hi,
>
>
>
> Appreciate the feedback!
>
>
>
> At this point. Should we just use the latest axis2-1.8.0.war and patch the
> lower log4j 2.14.1 version to the newer 2.17.0? Has that been done and
> proven to work on your end?
>
>
>
> When can we expect the 1.8.1 to be available?
>
>
>
> Thanks.
>
>
>
>
>
> *From: *robertlazarski <robertlazar...@gmail.com>
> *Reply-To: *"java-user@axis.apache.org" <java-user@axis.apache.org>
> *Date: *Wednesday, January 26, 2022 at 4:12 PM
> *To: *"java-user@axis.apache.org" <java-user@axis.apache.org>
> *Subject: *{EXTERNAL} Re: [Axis2] log4j inquiry
>
>
>
> *CAUTION**:* The message originated from an EXTERNAL SOURCE. Please use
> caution when opening attachments, clicking links or responding to this
> email.
>
>
>
> The latest log4j2 is 2.17.1. That's the version used in our pom.xml in
> git.
>
>
>
> 1.6.x actually ships with log4j 1.x.
>
>
>
> The Axis2 release of 1.8.0 shipped log4j2 jars, which unfortunately needs
> to be patched manually via the latest jars.
>
>
>
> We'll be releasing 1.8.1 soon that will fix that.
>
>
>
> On Wed, Jan 26, 2022 at 11:02 AM Malaluan, Jay Joel <
> jayjoel.malal...@ethoca.com> wrote:
>
> Hi,
>
>
>
> During December 2021. There was a log4j wide vulnerability. For reference,
> https://logging.apache.org/log4j/2.x/security.html
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__logging.apache.org_log4j_2.x_security.html&d=DwMFaQ&c=uc5ZRXl8dGLM1RMQwf7xTCjRqXF0jmCF6SP0bDlmMmY&r=hc9bwdFw8sJsbdEABM0jCpfJB8-LDvJKi1_pcJ8IQFM&m=OQKLdvq-NJtNS2JLAnlAITqgpCt82FE9MTw7MAARzLphcfM6pz0ZVYzt7dvOK4T7&s=fFJ4YhLkSmm921HT2myoEbQFHLEg6hmAiZnmqQLdJkM&e=>
> .
>
>
>
> At that time our company did some patching to address our vulnerable
> components.
>
> We use a very old version of the axis2.war which is v1.6.x. Based from our
> internal scan. It was found that it has axis2/WEB-INF/lib/log4j-1.2.15.jar.
>
> Our security team's recommended fix should be >= log4j 2.16.0
>
>
>
> Looking at the latest available release in
> https://axis.apache.org/axis2/java/core/download.html
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__axis.apache.org_axis2_java_core_download.html&d=DwMFaQ&c=uc5ZRXl8dGLM1RMQwf7xTCjRqXF0jmCF6SP0bDlmMmY&r=hc9bwdFw8sJsbdEABM0jCpfJB8-LDvJKi1_pcJ8IQFM&m=OQKLdvq-NJtNS2JLAnlAITqgpCt82FE9MTw7MAARzLphcfM6pz0ZVYzt7dvOK4T7&s=qcira8lBu5-hac7RtG7Hq-03jnlc6e0wutc0paYij6s&e=>
> .
>
> It's axis2-1.8.0.war. And when I peeked inside. The log4j libraries
> versions are still 2.14.1.
>
>
>
> WEB-INF/lib/log4j-api-2.14.1.jar
>
> WEB-INF/lib/log4j-core-2.14.1.jar
>
> WEB-INF/lib/log4j-jcl-2.14.1.jar
>
>
>
> Basing from the site, https://logging.apache.org/log4j/2.x/security.html
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__logging.apache.org_log4j_2.x_security.html&d=DwMFaQ&c=uc5ZRXl8dGLM1RMQwf7xTCjRqXF0jmCF6SP0bDlmMmY&r=hc9bwdFw8sJsbdEABM0jCpfJB8-LDvJKi1_pcJ8IQFM&m=OQKLdvq-NJtNS2JLAnlAITqgpCt82FE9MTw7MAARzLphcfM6pz0ZVYzt7dvOK4T7&s=fFJ4YhLkSmm921HT2myoEbQFHLEg6hmAiZnmqQLdJkM&e=>.
> It should be 2.17.0 (for Java 8 and later).
>
>
>
> Is there a newer axis2.war release that have the latest 2.17.x log4j
> library version?
>
>
>
> Thanks.
>
>
>
> *Jay Malaluan*
> Software Development Engineer II
>
> Mastercard
> [image: signature_1486368188] <http://www.mastercard.com/>
>
>
>
>
>
> CONFIDENTIALITY NOTICE This e-mail message and any attachments are only
> for the use of the intended recipient and may contain information that is
> privileged, confidential or exempt from disclosure under applicable law. If
> you are not the intended recipient, any disclosure, distribution or other
> use of this e-mail message or attachments is prohibited. If you have
> received this e-mail message in error, please delete and notify the sender
> immediately. Thank you.
>
>
