Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerable to Log4Shell? #2116

Closed
deadlytea opened this issue Dec 15, 2021 · 1 comment
Closed

Vulnerable to Log4Shell? #2116

deadlytea opened this issue Dec 15, 2021 · 1 comment
Labels
type/question Further information is requested

Comments

@deadlytea
Copy link

Is the version of log4j being used by slf4j in the apicurio-registry vulnerable to CVE 2021-44228/Log4Shell??

If so are there plans to address this and update? I am running apicurio-registry in production and am concerned.

I've tried my hand at finding if the version is vulnerable but I must admit my java package management skills are lacking.
@EricWittmann
Copy link
Member

All components of Registry are using slf4j and jboss-logging, not log4j. Quarkus (which we run on top of) is not vulnerable - you can read more about that here:

https://quarkus.io/blog/quarkus-and-CVE-2021-4428/

And we do not add log4j in the application layer on top of that. We think it's clear that we are not impacted by the log4j vulnerability.

@EricWittmann EricWittmann added the type/question Further information is requested label Dec 16, 2021
This was referenced Oct 20, 2023
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type/question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@EricWittmann @deadlytea