Also I would like to take this opportunity to say that OFBiz should prioritize code reorganization / splitting into modules. IMO OFBiz should be split into smaller parts with clear, small number of dependencies that are easier to reason about. Right now there are A LOT of dependencies in OFBIz and it's not clear where they are used, what is the impact if a vulnerability in a dependency is found, etc. It's hard to reason about. All deps are in main gradle.build file.
I would upgrade to 2.16.0 to fix the second vulnerability found: https://logging.apache.org/log4j/2.x/security.html .
- LOG4J vulnerability Mo
- RE: LOG4J vulnerability Benjamin Major
- Re: LOG4J vulnerability Carsten Schinzer
- Re: LOG4J vulnerability Michael Brohl
- Re: LOG4J vulnerability eugen . stan
