I looked at our pom.xml and we are using 2.13.3 so we need to update. There is no risk but it will be good to put out an RC6 once we have JCP approval.
Craig > Begin forwarded message: > > From: Gary Gregory <garydgreg...@gmail.com> > Subject: Re: If your project is using log4j you need to update now > (CVE-2021-44228) > Date: December 10, 2021 at 3:04:44 AM PST > To: memb...@apache.org > Reply-To: memb...@apache.org > > It also help to not use an antique version of Java 8 as Java 8u121 (see > https://www.oracle.com/java/technologies/javase/8u121-relnotes.html > <https://www.oracle.com/java/technologies/javase/8u121-relnotes.html>) > protects against remote code execution by defaulting > "com.sun.jndi.rmi.object.trustURLCodebase" and > "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false". > > Gary > > On Fri, Dec 10, 2021, 06:03 Mark J Cox <m...@apache.org > <mailto:m...@apache.org>> wrote: > Log4j2 2.15.0 was released today to address CVE-2021-44228 which can lead to > remote code execution in various situations. > > See: > https://lists.apache.org/thread/p9sfg0z7t2gbgj76jz8rh1w28z11yq0v > <https://lists.apache.org/thread/p9sfg0z7t2gbgj76jz8rh1w28z11yq0v> > https://logging.apache.org/log4j/2.x/security.html > <https://logging.apache.org/log4j/2.x/security.html> > > Note: any updates of ASF projects needed to address this should reference > CVE-2021-44228 and do not require a project-specific CVE. > > (Taking the non-usual step of mailing members@ to ensure it gets seen > quickly, projects should monitor announce@apache for dependency CVE updates) > > Regards, Mark J Cox > ASF Security Craig L Russell c...@apache.org
