Hi, On Thu, Dec 16, 2021 at 7:57 AM Kumar, Amit (Noida) via jetty-dev <jetty-...@eclipse.org> wrote: > Hi Team, > > We are using Below jar provided by you. We want to ensure and know if it is > impacted by “Apache Log4j Tool : Zero Day in Ubiquitous Under Active Attack > (CVE-2021-44228)”. If it’s impacted please let us know about the security > recommendation. To know we are looking for following answer > Jars: > > jetty-4.2.19 4.2.19 > jetty-continuation-7.5.4.v20111024 7.5.4 > jetty-http-7.5.4.v20111024 7.5.4 > jetty-security-7.5.4.v20111024 7.5.4 > jetty-util-7.5.4.v20111024 7.5.4 > jetty-io-7.5.4.v20111024 7.5.4 > jetty-server-7.5.4.v20111024 7.5.4
Jetty 7.5.4 is from October 2011, more than 10 years ago. If you are worried about the recent Log4j2 vulnerability, be aware that because using a Jetty version from 10 years ago you are probably vulnerable to many other CVEs. Jetty 4.2.19 is fossilized, but glad it's still working for you! I would suggest you update your systems to a recent Jetty version, either from the 9.4.x series or the 10.0.x/11.0.x series. In any case, Jetty 7 was not using Log4j2. If you have added a dependency on Log4j2 with your usage of Jetty 7, just update to Log4j2 to 2.16.0 or later. -- Simone Bordet ---- http://cometd.org http://webtide.com Developer advice, training, services and support from the Jetty & CometD experts. _______________________________________________ jetty-users mailing list jetty-users@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
