You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@camel.apache.org by da...@apache.org on 2021/12/13 06:12:22 UTC

[camel-website] branch log4j created (now d342c33)

This is an automated email from the ASF dual-hosted git repository.

davsclaus pushed a change to branch log4j
in repository https://gitbox.apache.org/repos/asf/camel-website.git.


      at d342c33  Blog about Apache Camel and the log4j security issue

This branch includes the following new commits:

     new d342c33  Blog about Apache Camel and the log4j security issue

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.

[camel-website] 01/01: Blog about Apache Camel and the log4j security issue

Posted by da...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

davsclaus pushed a commit to branch log4j
in repository https://gitbox.apache.org/repos/asf/camel-website.git

commit d342c332abfb218bb471cef91dbc7b84ba751c9e
Author: Claus Ibsen <cl...@gmail.com>
AuthorDate: Mon Dec 13 07:12:07 2021 +0100

    Blog about Apache Camel and the log4j security issue
---
 content/blog/2021/12/log4j2/index.md | 40 ++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/content/blog/2021/12/log4j2/index.md b/content/blog/2021/12/log4j2/index.md
new file mode 100644
index 0000000..0d88e02
--- /dev/null
+++ b/content/blog/2021/12/log4j2/index.md
@@ -0,0 +1,40 @@
+---
+title: "Apache Camel and CVE-2021-44228 (log4j)"
+date: 2021-12-13
+draft: false
+authors: [davsclaus]
+categories: ["security"]
+preview: "Apache Camel and CVE-2021-44228 (log4j)"
+---
+
+### Apache Camel is NOT using log4j for production
+
+Apache Camel does not directly depend on Log4j 2, 
+so we are not affected by CVE-2021-44228. 
+
+If you explicitly added the Log4j 2 dependency to your own applications,
+make sure to upgrade.
+
+### Apache Camel is using log4j for testing itself
+
+Apache Camel does use log4j during testing itself, and therefore you
+can find that we have been using log4j v2.13.3 release in our latest LTS releases
+Camel 3.7.6, 3.11.4. 
+
+In the `camel-dependencies` BOM we extract all the 3rd party dependency
+version that was used for building and testing the release:
+
+    <log4j2-version>2.13.3</log4j2-version>
+
+In the upcoming LTS releases 3.14.0, 3.11.5, and 3.7.7 we have upgraded to
+log4j 2.15.0. For future releases then we plan to filter out testing
+dependencies in the `camel-dependencies` BOM, meaning that `log4j2-version`
+will no longer be included.
+
+### What about other Apache Camel projects?
+
+Apache Camel Quarkus and Camel K uses Quarkus as the runtime, and Quarkus does not use log4j, and 
+they are therefore not affected.
+
+
+