Request to update log4j to patch CVE-2021-44228

[setu4993]

I do see that this package uses log4j, but I haven't been able to find what version (my lack of familiarity with Java packaging) and if it is affected by CVE-2021-44228.

Making a request to update this sensitive CVE soon if it is affected. Thanks!

[jebeaudet]

BTW this project uses the version 1.2.17 which is not vulnerable to CVE-2021-44228. It is however vulnerable to CVE-2019-17571 but this one is much much less probable to be vulnerable.

https://scans.gradle.com/s/dbu4bwe3crqck/dependencies?toggled=W1swXSxbMCwwXSxbMCwwLFsxOV1dLFswLDAsWzE5LDIyXV1d

[agronskiy]

Found the same in the 5.0-cpu docker:

root@368845d80ba5:~/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f# ll
total 488
drwxr-xr-x 2 root root   4096 Nov 17 18:42 ./
drwxr-xr-x 4 root root   4096 Nov 17 18:42 ../
-rw-r--r-- 1 root root 489884 Nov 17 18:42 log4j-1.2.17.jar

The only explicitly installed package is slf4j which seems to be an adaptor to log4j1.2

root@368845d80ba5:/# apt list --installed | grep 4j

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

libslf4j-java/bionic,now 1.7.25-3 all [installed,automatic]

Sounds like indeed 2.0 is not there.

[jebeaudet]

slf4j is an api
slf4j-log4j12 is an implementation of slf4j using log4j 1.2 (log4j12 -> log4j 1.2)

[getElementsByName]

How about netty? Netty is using the 2.6.2 log4j (The reported vulnerable version in CVE-2021-44228)

• https://github.com/netty/netty/blob/netty-4.1.53.Final/pom.xml#L368

[adumit]

Hi, do you know, @lxning, when the latest version with the update (0.5.1) will be released? Looks like it was merged and could be ready to go.

[lxning]

v0.5.1 is released today,