Hi, During December 2021. There was a log4j wide vulnerability. For reference, https://logging.apache.org/log4j/2.x/security.html.
At that time our company did some patching to address our vulnerable components. We use a very old version of the axis2.war which is v1.6.x. Based from our internal scan. It was found that it has axis2/WEB-INF/lib/log4j-1.2.15.jar. Our security team's recommended fix should be >= log4j 2.16.0 Looking at the latest available release in https://axis.apache.org/axis2/java/core/download.html. It's axis2-1.8.0.war. And when I peeked inside. The log4j libraries versions are still 2.14.1. WEB-INF/lib/log4j-api-2.14.1.jar WEB-INF/lib/log4j-core-2.14.1.jar WEB-INF/lib/log4j-jcl-2.14.1.jar Basing from the site, https://logging.apache.org/log4j/2.x/security.html. It should be 2.17.0 (for Java 8 and later). Is there a newer axis2.war release that have the latest 2.17.x log4j library version? Thanks. Jay Malaluan Software Development Engineer II Mastercard [signature_1486368188]<http://www.mastercard.com/> CONFIDENTIALITY NOTICE This e-mail message and any attachments are only for the use of the intended recipient and may contain information that is privileged, confidential or exempt from disclosure under applicable law. If you are not the intended recipient, any disclosure, distribution or other use of this e-mail message or attachments is prohibited. If you have received this e-mail message in error, please delete and notify the sender immediately. Thank you.
