[
https://issues.apache.org/jira/browse/LOG4J2-2329?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17184704#comment-17184704
]
Ralph Goers commented on LOG4J2-2329:
-------------------------------------
Additional note - log4j-slf4j18-impl was updated to 1.8.0-beta4 by LOG4J2-2745.
The CVE can be avoided by simply not using slf4j-ext or the EventData class. An
argument could be made that we should also remove support for EventData.
Admittedly it was a hack added to SLF4J (by me) because its API doesn't support
Messages like Log4j does. User's who want to avoid the CVE need only upgrade
SLF4J to a more recent 1.7 version. It will work fine with Log4j so long as the
EventData isn't present. But removing it entirely and upgrading the version
would give users warm fuzzies.
> Fix dependency in log4j-slf4j-impl to slf4j due to CVE-2018-8088
> ----------------------------------------------------------------
>
> Key: LOG4J2-2329
> URL: https://issues.apache.org/jira/browse/LOG4J2-2329
> Project: Log4j 2
> Issue Type: Bug
> Components: SLF4J Bridge
> Affects Versions: 2.11.0
> Reporter: Sven Kubiak
> Priority: Major
>
> Latest version of log4j-slf4j-impl has a dependency to slf4j-api version
> 1.8.0-Alpha2. All version before 1.8.0-Beta2 have vulnerable due to
> CVE-2018-8088.
> [https://nvd.nist.gov/vuln/detail/CVE-2018-8088]
> Can we update to at least 1.8.0-Beta2?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)