Log4j vulnerability

Question

Log4j vulnerability

naveenrk opened this issue 3 years ago · comments

Naveen Ramakrishna commented 3 years ago

Following imports have been found

SeaRouting.java
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

MarnetBuilding.java
import org.apache.logging.log4j.Level;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.core.config.Configurator;

and couldn't find any reference of log4j in pom.xml

Can you help us to identify and resolve the vulnerability.

Julien Gaffuri · Answer 1 · Thu Dec 23 2021 03:11:00 GMT+0800 (China Standard Time)

Dears,
Searoute does not use log4j directly, but through one of its main dependencies, Geotools.
But note that Geotools is based on log4J version 1, which is totally different from log4J2 and does not seem to suffer from the important vulnerabilities discovered recently. For more info, see the release note here:
http://geotoolsnews.blogspot.com/2021/12/geotools-254-released.html

Naveen Ramakrishna · Answer 2 · Fri Mar 25 2022 15:27:42 GMT+0800 (China Standard Time)

Thank you @jgaffuri