Hi,
By your own admission you're using the console appender, not the socket
apppender. And I didn't write that "SocketAppender has the impact with
the Tika 3.2.3 usage", I wrote that we use that version, but not that
feature.
Tilman
Am 05.02.2026 um 08:14 schrieb Saravanan Balakrishnan:
Hi Tika Team,
I am looking for clarification on SocketAppender which has impact of
CVE-2025-68161 related to log4j
We use the below configuration for Tika logging
log4jTika.xml,
<Console name="*CONSOLE_APPENDER*" target="SYSTEM_OUT">
<PatternLayout>
<Pattern>"%d{MM/dd/yyyy hh:mm:ss a} %-5p %c{1}:%L -
%m%n"</Pattern>
</PatternLayout>
</Console>
As you confirmed that SocketAppender has the impact with the Tika
3.2.3 usage, so I belive using the console logging is till impacted
with the CVE-2025-68161.
Can you please provide some information on below yaml file what
3.2.3.r2 stands for, going forward it would be easy to understand meta
data info,
https://github.com/wolfi-dev/advisories/blob/main/apache-tika-3.2.advisories.yaml
<https://github.com/wolfi-dev/advisories/blob/main/apache-tika-3.2.advisories.yaml>
Thanks in advance. Appreciate your valuable time and information.
Regards,
Saravanan B
