You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@jena.apache.org by "Rob Vesse (Jira)" <ji...@apache.org> on 2021/12/10 11:46:00 UTC

[jira] [Commented] (JENA-2211) upgrade log4j2 from 2.14.1 to 2.15.0

    [ https://issues.apache.org/jira/browse/JENA-2211?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17457080#comment-17457080 ] 

Rob Vesse commented on JENA-2211:
---------------------------------

Yes the team is aware of the vulnerability and will look to put on a 4.3.1 release ASAP

Note that provided you are using recent Jena versions you will have a recent enough Log4j2 dependency that the  suggested workaround from the Log4j project - adding {{-Dlog4j2.formatMsgNoLookups=true}} to the JVM arguments - can be used in the meantime.

> upgrade log4j2 from 2.14.1 to 2.15.0
> ------------------------------------
>
>                 Key: JENA-2211
>                 URL: https://issues.apache.org/jira/browse/JENA-2211
>             Project: Apache Jena
>          Issue Type: Dependency upgrade
>            Reporter: Øyvind Gjesdal
>            Priority: Major
>
> There is CVE 2021-4228 for log4j2. Not sure how it affects the the different artifacts. https://github.com/advisories/GHSA-jfh8-c2jp-5v3q
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)