There is a new Log4J CVE, everyone using log4j needs to upgrade to 2.17.0 now.
https://logging.apache.org/log4j/2.x/security.html#CVE-2021-45105 Joakim Erdfelt / joa...@webtide.com On Fri, Dec 17, 2021 at 5:16 PM Simone Bordet <sbor...@webtide.com> wrote: > Hi, > > On Fri, Dec 17, 2021 at 11:29 AM Lothar Kimmeringer <j...@kimmeringer.de> > wrote: > > Am 16.12.2021 um 14:26 schrieb Joakim Erdfelt: > > > > > As Simone pointed out, Jetty has never had a dependency on log4j, any > version. > > > If you are using log4j, then you added it to your own copy of Jetty. > > > > While the statement is true it might be worth mentioning that > > Jetty could use log4j indirectly if log4j has been configured > > to be SLF4J's backend logging framework and Jetty has been > > configured to use Slf4jLog and/or Slf4jRequestLogWriter. > > > > Especially if Jetty is embedded into a larger application, this > > scenario isn't that far fetched. > > You are right that this scenario is possible, but there is nothing > that we can do about it. > We don't have to release a new version of Jetty to patch anything, > because there is nothing to patch on the Jetty side. > > Sure people will need to carefully review their dependencies, > recursively, and whether they have configured Jetty (or some other > library) with Log4J, and we wrote a generic how-to for how to deal > with some of these cases (again we cannot cover them all) in this > blog: > https://webtide.com/jetty-log4j2-exploit-cve-2021-44228/ > > -- > Simone Bordet > ---- > http://cometd.org > http://webtide.com > Developer advice, training, services and support > from the Jetty & CometD experts. > _______________________________________________ > jetty-users mailing list > jetty-users@eclipse.org > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/jetty-users >
_______________________________________________ jetty-users mailing list jetty-users@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
