[jira] [Commented] (TIKA-3616) Upgrade log4j2

Jira Sat, 11 Dec 2021 03:52:05 -0800


    [ 
https://issues.apache.org/jira/browse/TIKA-3616?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17457595#comment-17457595
 ]


Luís Filipe Nassif commented on TIKA-3616:
------------------------------------------

Is it possible to upgrade to log4j-2.15.0 in Tika-1.x too? According to 
https://github.com/advisories/GHSA-jfh8-c2jp-5v3q log4j-1.x is vulnerable to 
other RCEs...

> Upgrade log4j2
> --------------
>
>                 Key: TIKA-3616
>                 URL: https://issues.apache.org/jira/browse/TIKA-3616
>             Project: Tika
>          Issue Type: Task
>            Reporter: Tim Allison
>            Priority: Major
>             Fix For: 2.1.1
>
>
> RCE...might be difficult to trigger in Tika, but why ask for a PoC...
> This only affects 2.x.  We were still using the old log4j in 1.x



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Commented] (TIKA-3616) Upgrade log4j2

Reply via email to