[ 
https://issues.apache.org/jira/browse/LOG4J2-2329?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17184704#comment-17184704
 ] 

Ralph Goers commented on LOG4J2-2329:
-------------------------------------

Additional note - log4j-slf4j18-impl was updated to 1.8.0-beta4 by LOG4J2-2745. 
The CVE can be avoided by simply not using slf4j-ext or the EventData class. An 
argument could be made that we should also remove support for EventData. 
Admittedly it was a hack added to SLF4J (by me) because its API doesn't support 
Messages like Log4j does. User's who want to avoid the CVE need only upgrade 
SLF4J to a more recent 1.7 version. It will work fine with Log4j so long as the 
EventData isn't present. But removing it entirely and upgrading the version 
would give users warm fuzzies.

> Fix dependency in log4j-slf4j-impl to slf4j due to CVE-2018-8088
> ----------------------------------------------------------------
>
>                 Key: LOG4J2-2329
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-2329
>             Project: Log4j 2
>          Issue Type: Bug
>          Components: SLF4J Bridge
>    Affects Versions: 2.11.0
>            Reporter: Sven Kubiak
>            Priority: Major
>
> Latest version of log4j-slf4j-impl has a dependency to slf4j-api version 
> 1.8.0-Alpha2. All version before 1.8.0-Beta2 have vulnerable due to 
> CVE-2018-8088.
> [https://nvd.nist.gov/vuln/detail/CVE-2018-8088]
> Can we update to at least 1.8.0-Beta2?



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to