Hi Sebastian,
thank you for your assessment and quick response.
Best regards,
Thomas
Am 12.12.21 um 22:05 schrieb seba.wag...@gmail.com:
Afaik we are not using the native log4j library. I think the
vulnerability is only in the actual log4j.jar file.
log4j-over-slf4j is merely a bridge that mimics log4j APIs in order to
redirect the log stream into slf4j without rewriting the existing
log4j logging statements. The bridge ensures old dependencies that
have not been migrated to SLF4J can work with Openmeetings.
So OpenMeetings is not using or distributing the native log4j JAR
library. Also the Tomat version we are using that bundles OpenMeetings
into a Java Servlet Container is not affected since it's not using the
native log4j jar file.
So as far as I can see this vulnerability should not impact OpenMeetings.
However OpenMeetings regularly ships updates with the latest libraries
and dependencies, so if you are not using the latest version, you
should update. There have been other CVE's fixed in recent versions.
Thanks
Sebastian
Sebastian Wagner
Director Arrakeen Solutions, OM-Hosting.com
http://arrakeen-solutions.co.nz/
https://om-hosting.com - Cloud & Server Hosting for HTML5
Video-Conferencing OpenMeetings
<https://www.youracclaim.com/badges/da4e8828-743d-4968-af6f-49033f10d60a/public_url><https://www.youracclaim.com/badges/b7e709c6-aa87-4b02-9faf-099038475e36/public_url>
On Mon, 13 Dec 2021 at 07:29, Thomas Scholzen <tschol...@buche17.de>
wrote:
Openmeetings has, among others, the following dependencies:
log4j-over-slf4j-1.7.32.jar
slf4j-api-1.7.32.jar
jcl-over-slf4j-1.7.32.jar
Does anyone know, whether these are affected by the log4j
vulnerability CVE-2021-44228 and have to be updated?
Thanks,
Thomas