[jira] [Updated] (PDFBOX-5346) PDFBox 2.0.12 | Regarding log4j 0 day vulnerability

Thu, 16 Dec 2021 21:53:07 -0800 


     [ 
https://issues.apache.org/jira/browse/PDFBOX-5346?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Amit Maheshwari updated PDFBOX-5346:
------------------------------------
    Description: 
We are using PDFBox 2.0.12 in our software.

We found that 'commons logging' is dependency of PDFBox and Log4J is dependency 
of commons logging.

We have not done any explicit configuration for log4j, in that case, will the 
PDFBox or Commons Logging will consume Log4J solution by any chance?

If yes, what is recommendation of avoiding it (and any possibility to 
compromise due to 0 day vulnerability present in Log4J in 2.0.12)

  was:
We are using PDFBox 2.0.12 in our software.

We found that 'commons logging' is dependency of PDFBox and Log4J is dependency 
of commons logging.

We have not done any explicit configuration for log4j, in that case, will the 
PDFBox or Commons Logging will consume Log4J solution by any chance?

If yes, what is recommendation of avoiding it (and any possibility to 
compromise due to 0 day vulnerability present in Log4J in older versions)


> PDFBox 2.0.12 | Regarding log4j 0 day vulnerability
> ---------------------------------------------------
>
>                 Key: PDFBOX-5346
>                 URL: https://issues.apache.org/jira/browse/PDFBOX-5346
>             Project: PDFBox
>          Issue Type: Task
>    Affects Versions: 2.0.12
>            Reporter: Amit Maheshwari
>            Priority: Critical
>
> We are using PDFBox 2.0.12 in our software.
> We found that 'commons logging' is dependency of PDFBox and Log4J is 
> dependency of commons logging.
> We have not done any explicit configuration for log4j, in that case, will the 
> PDFBox or Commons Logging will consume Log4J solution by any chance?
> If yes, what is recommendation of avoiding it (and any possibility to 
> compromise due to 0 day vulnerability present in Log4J in 2.0.12)



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@pdfbox.apache.org
For additional commands, e-mail: dev-h...@pdfbox.apache.org

Reply via email to