We use jericho 3.3 that has log4j 1.2.17 as transitive dependency. We plan to upgrade to 2.17.1 for all 3rd party as well as direct dependencies. Jericho 3.4 the latest has log4j api 2.4, how can we achieve to log4j api 2.17.1 ?
Related
I'm having a problem learning to upgrade to log4j2. Before, I used log4j 1 with apache servicemix 6.1.2, when I upgraded to log4j 2, I got an incompatibility error. I am learning to run the application on apache servicemix 7.0.1 to get the latest version of log4j2 .
I have read the document but do not understand which version of servicemix 7.0.1 uses log4j. Can anyone help me?
hi I install Elasticsearch v 7.6 and when I know about log4j vulnerability I do scan on log4j files
I found that it use log4j v 2.11 which is vulnerable
this is the files I found
so how could I upgrade it or protect myself from this vulnerability
I have got installed ActiveMQ on Mac using brew but have been identified as having a critical vulnerability related to the log4j security issue, and so it requires a patch.
In this case, how can I do patching log4j?
/System/Volumes/Data/usr/local/Cellar/activemq/5.16.3/libexec/lib/optional/log4j-1.2.17.jar
/usr/local/Cellar/activemq/5.16.3/libexec/lib/optional/log4j-1.2.17.jar
Since you're using ActiveMQ 5.16.3 you can simply upgrade to 5.16.4 which replaced Log4j 1.2.17 with Reload4j 1.2.19. See AMQ-8472 for more details.
Jfrog recommends to upgrade log4j to 2.15 as permanent fix. Can I just replace with the latest log4j-api.jar file? or Does Jfrog release latest patch for this?
How can I completely fix the issue?
The best fix for this issue would be to upgrade your log4j dependencies to version 2.15.0, which resolved the issue in several layers and improved the overall security of log4j.
As an additional layer of protection, we also recommend setting the LOG4J_FORMAT_MSG_NO_LOOKUPS environment variable globally (see next section).
#Syed JFrog products are not affected by this vulnerability, as they are not using the log4j-core package. We can confirm that JFrog services are not affected by CVE-2021-44228.
JFrog Security has validated that JFrog Platform solutions themselves are not affected, as no products, including Artifactory version 6.x or 7.x using the log4j-core package. CVE-2021-44228 only affects ‘log4j-core’, which is not being used in Artifactory. Other packages such as log4j-over-slf4j, log4j-api and log4j-to-slf4j are unaffected.
Hence, there is no action required from users to upgrade this library.
My project demands and upgrade from groovy 1.7.2 to 1.8.x stable release, there are several jar's are created using groovy 1.7.2 version, let me know whether these jar's will be compatible with 1.8.x also or not, or do i need to completely re-built it,
As it says on this mailing list entry:
A jar built with 1.7 will not run with a 1.8 runtime because two files were moved and one was removed.