POI 5.1.0 and XMLBeans 5.0.2 (the latest releases of both) have dependencies on
log4j-api 2.14.1. The security vulnerabilities are not in log4j-api - they are
in log4j-core.
If any POI or XMLBeans user uses log4j-core to control their logging of their
application, we strongly recommend that the
> Additionally Log4j prior to version 2.0-beta9 are NOT affected by the
recent vulnerability.
It is affected by older ones, like
https://www.cvedetails.com/cve/CVE-2019-17571/ etc.
On Tue, Dec 14, 2021 at 3:16 PM Markus Kirsten wrote:
> Hi,
> I can’t see that POI 4.0.1 used Log4j -
> https://ur
I have exactly the same understanding. Sent from my Galaxy
Original message From: Markus Kirsten
Date: 15/12/2021 00:16 (GMT+01:00) To: POI Users List
Subject: Re: Log4J Security issue with POI 4.0.1 Hi,I can’t see that POI 4.0.1
used Log4j - https://poi.apache.org
Hi,
I can’t see that POI 4.0.1 used Log4j -
https://poi.apache.org/components/logging.html and hence should NOT be affected
by the vulnerability. Additionally Log4j prior to version 2.0-beta9 are NOT
affected by the recent vulnerability.
Hope this helps, and somebody else can confirm.
Markus
We're using POI 4.0.1 which uses Log4j 1.2.17. Just want to confirm if this is
impacted by CVE-2021-44228 which recently identified a vulnerability with Log4j
(https://www.oracle.com/security-alerts/alert-cve-2021-44228.html).
NOTICE: This message, including all attachments transmitted with it,
Hi,
POI 5.1.0 uses Log4J 2 for logging. There has been an important new
release of Log4J - version 2.15.0 - to mitigate a security issue. The
POI team recommends that users upgrade their Log4J dependency to use
the 2.15.0 release.
https://logging.apache.org/log4j/2.x/security.html
https://www.lu
