[ https://issues.apache.org/jira/browse/JCLOUDS-1589?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458828#comment-17458828 ]
Andrew Gaul commented on JCLOUDS-1589: -------------------------------------- But jclouds-log4j currently depends on log4j 1.2.17 which suffers from a _different_ CVE: [https://www.cvedetails.com/cve/CVE-2019-17571/] I'm not too familiar with this driver and my first thought is to remove it as unmaintained since upgrading requires source code changes. But some tests rely on log4j e.g., atmos, b2, s3, so we need to migrate those first. > Upgrade to Log4j 2.15.0 > ----------------------- > > Key: JCLOUDS-1589 > URL: https://issues.apache.org/jira/browse/JCLOUDS-1589 > Project: jclouds > Issue Type: Improvement > Components: jclouds-drivers > Affects Versions: 2.4.0 > Reporter: Andrew Gaul > Priority: Major > > 2.15.0 fixes a critical CVE: > > https://logging.apache.org/log4j/2.x/security.html -- This message was sent by Atlassian Jira (v8.20.1#820001)