You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@sling.apache.org by JCR <jc...@proxymit.net> on 2021/12/13 12:56:23 UTC

Sling affected by latest log4j vulnerability?

https://www.cisa.gov/news/2021/12/11/statement-cisa-director-easterly-log4j-vulnerability

I don't think so. But there are folks here who know much more about the internals...

Anybody?

Thanks,
Juerg

Re: Sling affected by latest log4j vulnerability?

Posted by Robert Munteanu <ro...@apache.org>.

Hello Juerg,

On Mon, 2021-12-13 at 13:56 +0100, JCR wrote:
> https://www.cisa.gov/news/2021/12/11/statement-cisa-director-easterly-log4j-vulnerability
> 
> I don't think so. But there are folks here who know much more about
> the internals...
> 
> Anybody?
> 
> Thanks,
> Juerg

We are working on an official statement to be posted on the Sling
website. In the meantime, we have checked the sling source repos and
there are no traces of log4j2, so user applications should be fine as
long as they do not import log4j2 on their own.

Thanks,
Robert

Re: Sling affected by latest log4j vulnerability?

Posted by Robert Munteanu <ro...@apache.org>.

Hello Juerg,

On Mon, 2021-12-13 at 13:56 +0100, JCR wrote:
> https://www.cisa.gov/news/2021/12/11/statement-cisa-director-easterly-log4j-vulnerability
> 
> I don't think so. But there are folks here who know much more about
> the internals...
> 
> Anybody?
> 
> Thanks,
> Juerg

We are working on an official statement to be posted on the Sling
website. In the meantime, we have checked the sling source repos and
there are no traces of log4j2, so user applications should be fine as
long as they do not import log4j2 on their own.

Thanks,
Robert