You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@archiva.apache.org by "Martin Stockhammer (Jira)" <ji...@apache.org> on 2021/12/16 19:33:00 UTC

[jira] [Commented] (MRM-2025) Update to log4j 2.16.0 (CVE-2021-45046)

    [ https://issues.apache.org/jira/browse/MRM-2025?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17461005#comment-17461005 ] 

Martin Stockhammer commented on MRM-2025:
-----------------------------------------

I consider the risk low here. As the vulnerability can only be exploited, if the configuration uses certain configuration patterns, and the code must be placed in the MDC. We will already changed the log4j version to 2.16.0 for the next release, which will be available not too far in the future, but we are not releasing immediately.

 

> Update to log4j 2.16.0 (CVE-2021-45046)
> ---------------------------------------
>
>                 Key: MRM-2025
>                 URL: https://issues.apache.org/jira/browse/MRM-2025
>             Project: Archiva
>          Issue Type: Dependency upgrade
>          Components: Audit Logging
>    Affects Versions: 2.2.6
>            Reporter: Robert Velter
>            Priority: Major
>
> log4j 2.15.0 is not enough to fully mitigate CVE-2021-44228.
> See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046 
> Best regards, Robert



--
This message was sent by Atlassian Jira
(v8.20.1#820001)