> 1. Log4j issue CVE-2021-44228 JDO-800 "Update Log4j Version" > https://issues.apache.org/jira/browse/JDO-800 > TCK pom has been updated to log4j 2.16.0. > What are the DataNucleus versions that we should use that have been or will > be updated with the latest log4j releases?
The exact same ones as you are using. DN does not make direct use of any Log4j internal API etc, just gets a LogManager and a Logger from that. The API for those calls is unchanged by this "issue". Consequently it is only at RUNTIME that such an issue could be exploited, and the user (of DN) chooses what version of Log4j to make use of at runtime. No plans to update our pom (for v5.x) for an optional dependency. Regards -- Andy DataNucleus (Web: http://www.datanucleus.org Twitter: @datanucleus)