Hi, I can’t see that POI 4.0.1 used Log4j - https://poi.apache.org/components/logging.html and hence should NOT be affected by the vulnerability. Additionally Log4j prior to version 2.0-beta9 are NOT affected by the recent vulnerability.
Hope this helps, and somebody else can confirm. Markus > On 15 Dec 2021, at 00:09, Azeemuddin Khaja <[email protected]> wrote: > > We're using POI 4.0.1 which uses Log4j 1.2.17. Just want to confirm if this > is impacted by CVE-2021-44228 which recently identified a vulnerability with > Log4j (https://www.oracle.com/security-alerts/alert-cve-2021-44228.html). > > NOTICE: This message, including all attachments transmitted with it, is > intended solely for the use of the Addressee(s) and may contain information > that is PRIVILEGED, CONFIDENTIAL, and/or EXEMPT FROM DISCLOSURE under > applicable law. If you are not the intended recipient, you are hereby > notified that any disclosure, copying, distribution, or use of the > information contained herein is STRICTLY PROHIBITED. If you received this > communication in error, please destroy all copies of the message, whether in > electronic or hard copy format, as well as attachments and immediately > contact the sender by replying to this email or contact the sender at the > telephone numbers listed above. Thank you! --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
