ManifoldCF framework and connectors use log4j 2.x to dump information to the ManifoldCF log file.
Please read the following page: https://logging.apache.org/log4j/2.x/security.html Specifically, this part: 'Descripton: Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default.' In other words, unless you are allowing external people access to the crawler UI or to the API, it's impossible to exploit this in ManifoldCF. However, in the interest of assuring people, we are updating this core dependency to the recommended 2.15.0 anyway. The release is scheduled by the end of December. Karl On Tue, Dec 14, 2021 at 4:41 AM ritika jain <ritikajain5...@gmail.com> wrote: > .Hi All, > > How does manifold.cf use log4j. When I checked pom.xml of ES connector , > it is shown as an *exclusion *of maven dependency. > [image: image.png] > > But when checked in Project's downloaded Dependencies, It shows it being > used and downloaded. > > [image: image.png] > How does manifold use log 4j and how can we change the version of it. > > Thanks > Ritika >
