[
https://issues.apache.org/jira/browse/JDO-800?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Michael Bouschen reopened JDO-800:
----------------------------------
According to [https://logging.apache.org/log4j/2.x/security.html] there is a
new vulnerability with Log4j: "Apache Log4j2 versions 2.0-alpha1 through 2.16.0
did not protect from uncontrolled recursion from self-referential lookups."
This vulnerability only affects log4j-core: "Note that only the log4j-core JAR
file is impacted by this vulnerability. Applications using only the log4j-api
JAR file without the log4j-core JAR file are not impacted by this
vulnerability.".
Howevere we should update the log4j dependency in tck to version 2.17.0.
> Update Log4j Version
> --------------------
>
> Key: JDO-800
> URL: https://issues.apache.org/jira/browse/JDO-800
> Project: JDO
> Issue Type: Improvement
> Components: tck
> Affects Versions: JDO 3.2
> Reporter: Michael Bouschen
> Assignee: Michael Bouschen
> Priority: Major
> Fix For: JDO 3.2
>
>
> Log4j Versions up to 2.14.1 have a security finding CVE-2021-44228.
> Update log4j to version 2.15.0
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
