We updated log4j four times in December/January. The first two times seemed warranted, although limited even then because the UI and API for an ManifoldCF instance are not ever available on the open internet. The last two were a stretch to think they could cause any problems in our environment, but we upgraded anyway.
We will be updating log4j on every release for the next few years because logging systems are now under quite a microscope and we get asked this question all the time. We also get told that many of our library dependencies have critical CVEs, e.g. Axis, but once again the scenarios in these CVEs cannot occur in our environment, and furthermore, there is no Axis upgrade possible. So it is up to individual users to decide whether the existence of a CVE is meaningful to them. Karl On Tue, Jul 19, 2022 at 6:21 AM Wolfinger Uwe <uwe.wolfin...@oegk.at> wrote: > We just started an upgrade to version 2.22.1 and noticed, that still > vulnerable log4j version are present in the distribution package, e.g.: > > apache-manifoldcf-2.22.1\lib\log4j-api-2.15.0.jar > > apache-manifoldcf-2.22.1\web\war\mcf-authority-service\WEB-INF\lib\log4j-api-2.15.0.jar > > > According to this issue: > https://issues.apache.org/jira/browse/CONNECTORS-1683 > we expected, that the log4j problem was already solved. > > Is this a known problem, or do we have upgrade the log4j version manually? > > Kind regards, > Uwe Wolfinger >