Hi Christian, So you already knew :)
Very glad to read your answer, the exploitation attempts are already showing up in the logs. thanks, this helps a lot, Marc On Mon, 13 Dec 2021, Christian Grün wrote: > Hi Marc, > > I was waiting for that question ;) > > All fine, BaseX uses a custom logger, as well as Jetty does [1,2]. > > You may need to check your setup, though, if you use Tomcat as web > server or any additional search index applications like Solr or > Elasticsearch. ES is only susceptible to information leak, not remote > code execution [3]. > > Hope this helps, > Christian > > [1] https://docs.basex.org/wiki/Logging > [2] > https://docs.huihoo.com/jetty/the-definitive-reference/configuring-logging.html > [3] > https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476 > > > > On Mon, Dec 13, 2021 at 4:11 PM Marc Coenegracht <m...@crosseyed.nl> wrote: > > > > Does Basex (9.x or 8.x) use Log4j in any of its components? > > If not, should one still worry about the JRE? > > > > > > Regards, > > Marc >
