On Sat, Dec 11, 2021, at 10:34 AM, Ryan Schmidt wrote: > On Dec 11, 2021, at 11:24, Richard L. Hamilton wrote: > >> CVE-2021-44228 sounds kinda scary! > > We appear to have a jakarta-log4j port but it is version 1.x, not 2.
Log4j 1.x isn't affected by that CVE [1], though there is a vulnerability that depends on configuration, not user input [2]. [1] https://github.com/apache/logging-log4j2/pull/608#issuecomment-991387493 [2] https://github.com/apache/logging-log4j2/pull/608#issuecomment-991730650
