[
https://issues.apache.org/jira/browse/LOGCXX-541?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17457673#comment-17457673
]
Thorsten Schöning edited comment on LOGCXX-541 at 12/11/21, 4:36 PM:
---------------------------------------------------------------------
Log4cxx uses log4j 1.x for it's tests, which is not affected by the RCE AFAIK:
{quote}Affected Apache log4j2 Versions
2.0 <= Apache log4j <= 2.14.1{quote}
https://www.lunasec.io/docs/blog/log4j-zero-day/#affected-apache-log4j2-versions
{quote}find_jar(LOG4J NAMES log4j-1.2 DOC "System log4j location"){quote}
https://github.com/apache/logging-log4cxx/pull/80/commits/fa20a1449952d4317eca1db38e311a69f4ad7ac4#diff-07402a9ee6de57f51cf1c5a65172b9848f2d0a4eb0def6da48d25b554453c9f3R10
was (Author: tschoening):
Log4cxx uses log4j 1.x for it's tests, which is not affected by the RCE AFAIK.
> Upgrade log4j to 2.15.0 - CVE-2021-44288
> ----------------------------------------
>
> Key: LOGCXX-541
> URL: https://issues.apache.org/jira/browse/LOGCXX-541
> Project: Log4cxx
> Issue Type: Bug
> Components: Tests
> Reporter: Peter Hurley
> Priority: Major
> Labels: security
>
> Log4j has an RCE vulnerability, see
> [https://www.lunasec.io/docs/blog/log4j-zero-day/]
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
