Hi, On Fri, Dec 17, 2021 at 11:29 AM Lothar Kimmeringer <j...@kimmeringer.de> wrote: > Am 16.12.2021 um 14:26 schrieb Joakim Erdfelt: > > > As Simone pointed out, Jetty has never had a dependency on log4j, any > > version. > > If you are using log4j, then you added it to your own copy of Jetty. > > While the statement is true it might be worth mentioning that > Jetty could use log4j indirectly if log4j has been configured > to be SLF4J's backend logging framework and Jetty has been > configured to use Slf4jLog and/or Slf4jRequestLogWriter. > > Especially if Jetty is embedded into a larger application, this > scenario isn't that far fetched.
You are right that this scenario is possible, but there is nothing that we can do about it. We don't have to release a new version of Jetty to patch anything, because there is nothing to patch on the Jetty side. Sure people will need to carefully review their dependencies, recursively, and whether they have configured Jetty (or some other library) with Log4J, and we wrote a generic how-to for how to deal with some of these cases (again we cannot cover them all) in this blog: https://webtide.com/jetty-log4j2-exploit-cve-2021-44228/ -- Simone Bordet ---- http://cometd.org http://webtide.com Developer advice, training, services and support from the Jetty & CometD experts. _______________________________________________ jetty-users mailing list jetty-users@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
