All of the (known) remaining log4j1.x security bugs (none of which are as severe as log4shell) are fixed in reload4j 1.2.18+. If you need to stick with 1.2 you should use that. Otherwise you can try to migrate to the log4j bridge, it’s compatibility was increased in 2.17.2 or 2.12.4.
Gruss Bernd -- http://bernd.eckenfels.net ________________________________ Von: Martin Gainty <[email protected]> Gesendet: Thursday, March 3, 2022 1:18:50 PM An: Maven Developers List <[email protected]> Cc: David Milet <[email protected]>; [email protected] <[email protected]>; VZ-Product-OneTalk <[email protected]>; Danylo Volokh <[email protected]> Betreff: RE: Maven Dependency Plugin - Log4j vulnerabilities I *thought* log4j 1.2.15 had the patch to mitigate the JNDI Security Vulnerabity? Is this not the case? Thanks John M. Sent from my Verizon, Samsung Galaxy smartphone -------- Original message -------- From: John Patrick <[email protected]> Date: 3/3/22 4:07 AM (GMT-05:00) To: Maven Developers List <[email protected]> Cc: David Milet <[email protected]>, [email protected], VZ-Product-OneTalk <[email protected]>, Danylo Volokh <[email protected]> Subject: Re: Maven Dependency Plugin - Log4j vulnerabilities Sorry I thought you where talking about log4j v2, not v1. I can see it downloads the metadata about the project but non or the jars; local-repo/log4j local-repo/log4j/log4j local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom.sha1 local-repo/log4j local-repo/log4j/log4j local-repo/log4j/log4j/1.2.12 local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom local-repo/log4j/log4j/1.2.12/log4j-1.2.12.pom.sha1 local-repo/log4j/log4j/1.2.12/_remote.repositories So I would still say false positive, as the jar is not actually used. But looking at the dependency tree it would need the apache commons to update commons-logging:commons-logging, then ommons-digester:commons-digester then org.apache.velocity:velocity-tools, then it gets to the 1st dependency within the maven ecosystem. So 5 ish patches to 5 separate projects to upgrade, test and release, each before then next pr can progress. John On Thu, 3 Mar 2022 at 07:53, Thomas Matthijs <[email protected]> wrote: > That was just to demonstrate how i got the dependency chain, that file > was there, but if you're going to be this hostile, i'm not interested > anymore, muting thread > > On Thu, 3 Mar 2022 at 08:48, Piotr Żygieło <[email protected]> > wrote: > > > > On Thu, 3 Mar 2022 at 08:37, Thomas Matthijs <[email protected]> wrote: > > > > > > Can confirm this project downloads log4j 1.12.12 for me > > > > As I see it - you confirm something else. > > > > > Failed to read artifact descriptor for log4j:log4j:jar:1.2.12: > > > > Failed to read artifact descriptor for log4j:log4j:jar:1.2.12: > > _artifact descriptor_ > > > > -- > > Piotrek > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
