Bill, That doesn't look like log4j itself, merely an integration layer for using log4j with that project.
Joakim Erdfelt / [email protected] On Thu, Dec 16, 2021 at 2:43 PM Bill Ross via jetty-users < [email protected]> wrote: > One needs to check *all* jars too. I notice that the c3p0 db connection > pool package uses a lib (by the same author) called mchange-commons that > incorporates log4j: > > > https://github.com/swaldman/mchange-commons-java/tree/master/src/main/java/com/mchange > > $ jar tf ...jar > > com/mchange/v2/log/log4j2/MLogAppender.class > com/mchange/v2/log/log4j/Log4jMLog$Log4jMLogger.class > com/mchange/v2/log/log4j2/Log4j2MLog$Log4jMLogger.class > com/mchange/v2/log/log4j2/Log4j2MLog.class > > In case anyone else is concerned. I haven't had time to do more than > verify I can't get a side effect from outside my site. > > Bill > > > On 12/16/21 5:26 AM, Joakim Erdfelt wrote: > > You have 2 recent CVEs for Log4j 2.x to be aware of - CVE-2021-44228 and > CVE-2021-45046. > Both of these are currently resolved by simple upgrading to Log4j2 2.16.0 > > Log4j 1.x was EOL in August 2015 and now has an ever growing post-EOL CVE > list, it's use in production is not recommended anymore. > > As Simone pointed out, Jetty has never had a dependency on log4j, any > version. > If you are using log4j, then you added it to your own copy of Jetty. > Upgrading log4j, or deciding to switch to a different logging > implementation (logback, java.util.logging, etc) will have zero impact on > Jetty itself. > > Joakim Erdfelt / [email protected] > > > On Thu, Dec 16, 2021 at 12:57 AM Kumar, Amit (Noida) via jetty-dev < > [email protected]> wrote: > >> >> >> Hi Team, >> >> >> >> We are using Below jar provided by you. We want to ensure and know if it >> is impacted by “Apache Log4j Tool : Zero Day in Ubiquitous Under Active >> Attack (CVE-2021-44228)”. If it’s impacted please let us know about the >> security recommendation. To know we are looking for following answer >> >> >> >> Jars: >> >> jetty-4.2.19 4.2.19 >> >> jetty-continuation-7.5.4.v20111024 7.5.4 >> >> jetty-http-7.5.4.v20111024 7.5.4 >> >> jetty-security-7.5.4.v20111024 7.5.4 >> >> jetty-util-7.5.4.v20111024 7.5.4 >> >> jetty-io-7.5.4.v20111024 7.5.4 >> >> jetty-server-7.5.4.v20111024 7.5.4 >> >> >> >> >> >> Are you using log4J? >> >> If you are using log4j 1.x version, are you using JMSAppender class >> >> if you are using log4j 2.x are , what is your security recommendation to >> fix the issue >> >> >> >> >> >> Thanks and regards, >> >> >> >> *Amit Kumar* >> >> *Tech Lead, Software Development Engineering* >> >> Financial & Risk Management Solutions >> >> Mobile: +91-9990094588 >> >> Upcoming R&R: >> >> *Fiserv * >> >> *Helping Small Businesses Get** Back2Business >> <https://urldefense.proofpoint.com/v2/url?u=http-3A__links.mkt030.com_els_v2_RZ22cy4q6bM8_TzJLUFZkYWdITm81S3lmUEFuVlpwT3hCT1FtWFlmMDVVV1g1cTQ2ZnJXRS9FNFR2UkFGVVU0SzBIRHVBUHMwYTdOM2ROV2w3NDZRTEg2aGFaT2NhdGxNMFo2ZjJLclp3N3h1SXgzQys2dU09S0_&d=DwMFaQ&c=rE3mhBYFJfJGqQ7WI0-DPw&r=SsuMM9K4X6-LD5gm7ULhlcCpWEqlIdXt0prnYpS6dss&m=EX9k1mYsarorAHo0fqkLhRLzA8ohktftTCpgsUd_vr0&s=R-6lvnOhG5fnONNKZPmlgec0f7YBuuiH45dZ4t9Y3X4&e=>* >> Fiserv >> <https://urldefense.proofpoint.com/v2/url?u=http-3A__links.mkt030.com_els_v2_X677F3dKx8Tx_TzJLUFZkYWdITm81S3lmUEFuVlpwT3hCT1FtWFlmMDVVV1g1cTQ2ZnJXRS9FNFR2UkFGVVU0SzBIRHVBUHMwYTdOM2ROV2w3NDZRTEg2aGFaT2NhdGxNMFo2ZjJLclp3N3h1SXgzQys2dU09S0_&d=DwMFaQ&c=rE3mhBYFJfJGqQ7WI0-DPw&r=SsuMM9K4X6-LD5gm7ULhlcCpWEqlIdXt0prnYpS6dss&m=EX9k1mYsarorAHo0fqkLhRLzA8ohktftTCpgsUd_vr0&s=NGFO_LDQrhMwepNez_lhHhtYeLweF4IK5nDNtCpnCic&e=> >> | Join Our Team >> <https://urldefense.proofpoint.com/v2/url?u=http-3A__links.mkt030.com_els_v2_j9LLfXwgErFR_TzJLUFZkYWdITm81S3lmUEFuVlpwT3hCT1FtWFlmMDVVV1g1cTQ2ZnJXRS9FNFR2UkFGVVU0SzBIRHVBUHMwYTdOM2ROV2w3NDZRTEg2aGFaT2NhdGxNMFo2ZjJLclp3N3h1SXgzQys2dU09S0_&d=DwMFaQ&c=rE3mhBYFJfJGqQ7WI0-DPw&r=SsuMM9K4X6-LD5gm7ULhlcCpWEqlIdXt0prnYpS6dss&m=EX9k1mYsarorAHo0fqkLhRLzA8ohktftTCpgsUd_vr0&s=AovzNmRVWUIYoZzsyaRayRoSza5FiHf_XI4QYRFpUKQ&e=> >> | Twitter >> <https://urldefense.proofpoint.com/v2/url?u=http-3A__links.mkt030.com_els_v2_bxXXB-2DpG2wfb_TzJLUFZkYWdITm81S3lmUEFuVlpwT3hCT1FtWFlmMDVVV1g1cTQ2ZnJXRS9FNFR2UkFGVVU0SzBIRHVBUHMwYTdOM2ROV2w3NDZRTEg2aGFaT2NhdGxNMFo2ZjJLclp3N3h1SXgzQys2dU09S0_&d=DwMFaQ&c=rE3mhBYFJfJGqQ7WI0-DPw&r=SsuMM9K4X6-LD5gm7ULhlcCpWEqlIdXt0prnYpS6dss&m=EX9k1mYsarorAHo0fqkLhRLzA8ohktftTCpgsUd_vr0&s=C131Xh7_qy_-NgY7CtUnhDREDFghFEQXaGsNPSbLZQw&e=> >> | LinkedIn >> <https://urldefense.proofpoint.com/v2/url?u=http-3A__links.mkt030.com_els_v2_z9-5F-5FfAx8R-7EBm_TzJLUFZkYWdITm81S3lmUEFuVlpwT3hCT1FtWFlmMDVVV1g1cTQ2ZnJXRS9FNFR2UkFGVVU0SzBIRHVBUHMwYTdOM2ROV2w3NDZRTEg2aGFaT2NhdGxNMFo2ZjJLclp3N3h1SXgzQys2dU09S0_&d=DwMFaQ&c=rE3mhBYFJfJGqQ7WI0-DPw&r=SsuMM9K4X6-LD5gm7ULhlcCpWEqlIdXt0prnYpS6dss&m=EX9k1mYsarorAHo0fqkLhRLzA8ohktftTCpgsUd_vr0&s=nur3UqZMYo9u9wV8r9dN7NTf7ruHik2RoHJBApj4rBQ&e=> >> | Facebook >> <https://urldefense.proofpoint.com/v2/url?u=http-3A__links.mkt030.com_els_v2_ebwwFvy-7EgkQ7_TzJLUFZkYWdITm81S3lmUEFuVlpwT3hCT1FtWFlmMDVVV1g1cTQ2ZnJXRS9FNFR2UkFGVVU0SzBIRHVBUHMwYTdOM2ROV2w3NDZRTEg2aGFaT2NhdGxNMFo2ZjJLclp3N3h1SXgzQys2dU09S0_&d=DwMFaQ&c=rE3mhBYFJfJGqQ7WI0-DPw&r=SsuMM9K4X6-LD5gm7ULhlcCpWEqlIdXt0prnYpS6dss&m=EX9k1mYsarorAHo0fqkLhRLzA8ohktftTCpgsUd_vr0&s=hd3ZCW13ah-YOC_rC0AZIjDWrL_h6jiYvxFA2dPfi_c&e=> >> FORTUNE *World's Most Admired Companies®* >> 2014 | 2015 | 2016 | 2017 | 2018 | 2019 | 2020 | 2021 >> >> © 2021 Fiserv Inc. or its affiliates. Fiserv is a registered trademark of >> Fiserv Inc. Privacy Notice >> <https://urldefense.proofpoint.com/v2/url?u=http-3A__links.mkt030.com_els_v2_w-5F33sEW2jps3_TzJLUFZkYWdITm81S3lmUEFuVlpwT3hCT1FtWFlmMDVVV1g1cTQ2ZnJXRS9FNFR2UkFGVVU0SzBIRHVBUHMwYTdOM2ROV2w3NDZRTEg2aGFaT2NhdGxNMFo2ZjJLclp3N3h1SXgzQys2dU09S0_&d=DwMFaQ&c=rE3mhBYFJfJGqQ7WI0-DPw&r=SsuMM9K4X6-LD5gm7ULhlcCpWEqlIdXt0prnYpS6dss&m=EX9k1mYsarorAHo0fqkLhRLzA8ohktftTCpgsUd_vr0&s=aSztimCBadAn9CoDhVg4wBWZM1vKatItDvP9Kz3EvC4&e=> >> © 2021 Fortune Media IP Limited. Used under license. >> >> >> _______________________________________________ >> jetty-dev mailing list >> [email protected] >> To unsubscribe from this list, visit >> https://www.eclipse.org/mailman/listinfo/jetty-dev >> > > _______________________________________________ > jetty-users mailing [email protected] > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/jetty-users > > -- > Phobrain.com > _______________________________________________ > jetty-users mailing list > [email protected] > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/jetty-users >
_______________________________________________ jetty-users mailing list [email protected] To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
