You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@camel.apache.org by da...@apache.org on 2021/12/13 06:12:23 UTC
[camel-website] 01/01: Blog about Apache Camel and the log4j security issue
This is an automated email from the ASF dual-hosted git repository.
davsclaus pushed a commit to branch log4j
in repository https://gitbox.apache.org/repos/asf/camel-website.git
commit d342c332abfb218bb471cef91dbc7b84ba751c9e
Author: Claus Ibsen <cl...@gmail.com>
AuthorDate: Mon Dec 13 07:12:07 2021 +0100
Blog about Apache Camel and the log4j security issue
---
content/blog/2021/12/log4j2/index.md | 40 ++++++++++++++++++++++++++++++++++++
1 file changed, 40 insertions(+)
diff --git a/content/blog/2021/12/log4j2/index.md b/content/blog/2021/12/log4j2/index.md
new file mode 100644
index 0000000..0d88e02
--- /dev/null
+++ b/content/blog/2021/12/log4j2/index.md
@@ -0,0 +1,40 @@
+---
+title: "Apache Camel and CVE-2021-44228 (log4j)"
+date: 2021-12-13
+draft: false
+authors: [davsclaus]
+categories: ["security"]
+preview: "Apache Camel and CVE-2021-44228 (log4j)"
+---
+
+### Apache Camel is NOT using log4j for production
+
+Apache Camel does not directly depend on Log4j 2,
+so we are not affected by CVE-2021-44228.
+
+If you explicitly added the Log4j 2 dependency to your own applications,
+make sure to upgrade.
+
+### Apache Camel is using log4j for testing itself
+
+Apache Camel does use log4j during testing itself, and therefore you
+can find that we have been using log4j v2.13.3 release in our latest LTS releases
+Camel 3.7.6, 3.11.4.
+
+In the `camel-dependencies` BOM we extract all the 3rd party dependency
+version that was used for building and testing the release:
+
+ <log4j2-version>2.13.3</log4j2-version>
+
+In the upcoming LTS releases 3.14.0, 3.11.5, and 3.7.7 we have upgraded to
+log4j 2.15.0. For future releases then we plan to filter out testing
+dependencies in the `camel-dependencies` BOM, meaning that `log4j2-version`
+will no longer be included.
+
+### What about other Apache Camel projects?
+
+Apache Camel Quarkus and Camel K uses Quarkus as the runtime, and Quarkus does not use log4j, and
+they are therefore not affected.
+
+
+