Log4Shell vulnerability #390
-
|
Could you please give a statement about how likely the library users are to be affected by the new Log4Shell vulnerability? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
|
Good question. This library uses log4j2 and as such I spent time last saturday double checking the impact. As documented here From a technical perspective this library has all logging dependencies as So when using this library in your application it does not pull in any version of log4j2 I also did a test on the webapp and docker image (which does package the bad library) where I fired a jndi test useragent string in and there was no DNS lookup. So as far as I can tell this library should not be a problem. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you, for your answer. The tests on the webapp and the Docker image are indeed reassuring. |
Beta Was this translation helpful? Give feedback.
-
|
Just to be sure I also did a check of the entire code base to see where any user input is put through the logger. This only happens when rules are set to |
Beta Was this translation helpful? Give feedback.
-
|
Great to hear this, thank you, this was also my impression after going over the code :) |
Beta Was this translation helpful? Give feedback.
Good question.
This library uses log4j2 and as such I spent time last saturday double checking the impact.
As documented here
To minimize the complexity of the dependency handling I have chosen to simply not include ANY logging framework and expect the consuming system to provide what ever fits best.From a technical perspective this library has all logging dependencies as
provided(here) and .So it should not pull in any logging framework at all.
So when using this library in your application it does not pull in any version of log4j2
automatically.I also did a test on the webapp and docker image (which does package the bad library) where I fired a jndi test useragent string in and ther…