You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@poi.apache.org by Gabriel Barros <gb...@yahooinc.com.INVALID> on 2021/12/15 01:44:28 UTC

Re: [E] Re: Log4J Security issue with POI 4.0.1

> Additionally Log4j prior to version 2.0-beta9 are NOT affected by the
recent vulnerability.

It is affected by older ones, like
https://www.cvedetails.com/cve/CVE-2019-17571/ etc.

On Tue, Dec 14, 2021 at 3:16 PM Markus Kirsten <mk...@gmail.com> wrote:

> Hi,
> I can’t see that POI 4.0.1 used Log4j -
> https://urldefense.proofpoint.com/v2/url?u=https-3A__poi.apache.org_components_logging.html&d=DwIFaQ&c=sWW_bEwW_mLyN3Kx2v57Q8e-CRbmiT9yOhqES_g_wVY&r=z8Knaor1Zg-Y-a8CKhuVGUNs-mdnqQH_jm5MhbHoqKY&m=FFOiztZ-ppkekvQR2182IeukRXE4kPMxbL5bolJYRT9HdVuKJBVM0fUnVetDRD4X&s=CHPan1-cAsRvotasyaylqJlMHqbG-MxrtFI0qt0znbA&e=
> and hence should NOT be affected by the vulnerability. Additionally Log4j
> prior to version 2.0-beta9 are NOT affected by the recent vulnerability.
>
> Hope this helps, and somebody else can confirm.
>
>
> Markus
>
>
> > On 15 Dec 2021, at 00:09, Azeemuddin Khaja <ak...@my.uno.edu> wrote:
> >
> > We're using POI 4.0.1 which uses Log4j 1.2.17. Just want to confirm if
> this is impacted by CVE-2021-44228 which recently identified a
> vulnerability with Log4j (
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.oracle.com_security-2Dalerts_alert-2Dcve-2D2021-2D44228.html&d=DwIFaQ&c=sWW_bEwW_mLyN3Kx2v57Q8e-CRbmiT9yOhqES_g_wVY&r=z8Knaor1Zg-Y-a8CKhuVGUNs-mdnqQH_jm5MhbHoqKY&m=FFOiztZ-ppkekvQR2182IeukRXE4kPMxbL5bolJYRT9HdVuKJBVM0fUnVetDRD4X&s=khRzQsjPJoQmuGt3QgzsHZTPSoCcJnfJ487ars2liHY&e=
> ).
> >
> > NOTICE: This message, including all attachments transmitted with it, is
> intended solely for the use of the Addressee(s) and may contain information
> that is PRIVILEGED, CONFIDENTIAL, and/or EXEMPT FROM DISCLOSURE under
> applicable law. If you are not the intended recipient, you are hereby
> notified that any disclosure, copying, distribution, or use of the
> information contained herein is STRICTLY PROHIBITED. If you received this
> communication in error, please destroy all copies of the message, whether
> in electronic or hard copy format, as well as attachments and immediately
> contact the sender by replying to this email or contact the sender at the
> telephone numbers listed above. Thank you!
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@poi.apache.org
> For additional commands, e-mail: user-help@poi.apache.org
>
>