[
https://issues.apache.org/jira/browse/PDFBOX-5346?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17461242#comment-17461242
]
Andreas Lehmkühler commented on PDFBOX-5346:
--------------------------------------------
First of all, you should update to a more recent PDFBox version. We've just
released 2.0.25
Log4J2 is not a dependency of commons logging, see
[pom.xml|https://github.com/apache/commons-logging/blob/master/pom.xml]
{noformat}
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.17</version>
<optional>true</optional>
</dependency>
{noformat}
That dependency is optional and furthermore it references log4j 1.2.17 which
isn't affected by the log4shell issue.
Commons-logging is a wrapper for different logging-framewroks and the users
decides which one to use by adding it to the classpath
BTW: this is a bug tracker and such queries belong to our [mailing
list|https://pdfbox.apache.org/mailinglists.html]
> PDFBox 2.0.12 | Regarding log4j 0 day vulnerability
> ---------------------------------------------------
>
> Key: PDFBOX-5346
> URL: https://issues.apache.org/jira/browse/PDFBOX-5346
> Project: PDFBox
> Issue Type: Task
> Affects Versions: 2.0.12
> Reporter: Amit Maheshwari
> Priority: Critical
>
> We are using PDFBox 2.0.12 in our software.
> We found that 'commons logging' is dependency of PDFBox and Log4J is
> dependency of commons logging.
> We have not done any explicit configuration for log4j, in that case, will the
> PDFBox or Commons Logging will consume Log4J solution by any chance?
> If yes, what is recommendation of avoiding it (and any possibility to
> compromise due to 0 day vulnerability present in Log4J in 2.0.12)
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
