I looked at our pom.xml and we are using 2.13.3 so we need to update. There is no risk but it will be good to put out an RC6 once we have JCP approval.
Craig > Begin forwarded message: > > From: Gary Gregory <[email protected]> > Subject: Re: If your project is using log4j you need to update now > (CVE-2021-44228) > Date: December 10, 2021 at 3:04:44 AM PST > To: [email protected] > Reply-To: [email protected] > > It also help to not use an antique version of Java 8 as Java 8u121 (see > https://www.oracle.com/java/technologies/javase/8u121-relnotes.html > <https://www.oracle.com/java/technologies/javase/8u121-relnotes.html>) > protects against remote code execution by defaulting > "com.sun.jndi.rmi.object.trustURLCodebase" and > "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false". > > Gary > > On Fri, Dec 10, 2021, 06:03 Mark J Cox <[email protected] > <mailto:[email protected]>> wrote: > Log4j2 2.15.0 was released today to address CVE-2021-44228 which can lead to > remote code execution in various situations. > > See: > https://lists.apache.org/thread/p9sfg0z7t2gbgj76jz8rh1w28z11yq0v > <https://lists.apache.org/thread/p9sfg0z7t2gbgj76jz8rh1w28z11yq0v> > https://logging.apache.org/log4j/2.x/security.html > <https://logging.apache.org/log4j/2.x/security.html> > > Note: any updates of ASF projects needed to address this should reference > CVE-2021-44228 and do not require a project-specific CVE. > > (Taking the non-usual step of mailing members@ to ensure it gets seen > quickly, projects should monitor announce@apache for dependency CVE updates) > > Regards, Mark J Cox > ASF Security Craig L Russell [email protected]
