Hi, > > We have installed davmail 6.0.1 dated Dec. 3, 2021 as an RPM on CentOS 7.9. > > However, it's only a few days ago that the Vulnerability in Apache Log4j > > (CVE-2021-44228-Log4j) was announced. We note that Davmail includes a log4j [...] > > Question: Is davmail vulnerable to log4j? If so, when could we expect a > > security fix? > > Qouting https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001684#22 > Debian maintainer of Davmail, Alexandre Rossi: > > > Also, since a while already, Java now has its own internal logging > > framework (java.util.logging.Logger), so there should be less and > > less reason to use potentially unsafe third-party logging libraries > > (but switching to java's internal logging might be more difficult > > to do in the short run than just upgrading to a newer version). > > I'll try to report this upstream.
To clarify the log4j1 situation, it appears that it is not vulnerable unless you use JMSAppender which davmail does not. (there is also CVE-2019-17571 with SocketAppender which is disabled but usable in davmail). To clarify the Debian situation, the Debian package does not use the embedded jar but the system shared jar. In the case of davmail, I would say that there is a good chance that the current provided compiled zip in 6.0.1 is not vulnerable to CVE-2021-44228 because it does not use JMSAppender. Alex
