ManifoldCF framework and connectors use log4j 2.x to dump information to
the ManifoldCF log file.
Please read the following page:
https://logging.apache.org/log4j/2.x/security.html
Specifically, this part:
'Descripton: Apache Log4j2 <=2.14.1 JNDI features used in configuration,
log messages, and parameters do not protect against attacker controlled
LDAP and other JNDI related endpoints. An attacker who can control log
messages or log message parameters can execute arbitrary code loaded from
LDAP servers when message lookup substitution is enabled. From log4j
2.15.0, this behavior has been disabled by default.'
In other words, unless you are allowing external people access to the
crawler UI or to the API, it's impossible to exploit this in ManifoldCF.
However, in the interest of assuring people, we are updating this core
dependency to the recommended 2.15.0 anyway. The release is scheduled by
the end of December.
Karl
On Tue, Dec 14, 2021 at 4:41 AM ritika jain
wrote:
> .Hi All,
>
> How does manifold.cf use log4j. When I checked pom.xml of ES connector ,
> it is shown as an *exclusion *of maven dependency.
> [image: image.png]
>
> But when checked in Project's downloaded Dependencies, It shows it being
> used and downloaded.
>
> [image: image.png]
> How does manifold use log 4j and how can we change the version of it.
>
> Thanks
> Ritika
>
