You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@poi.apache.org by PJ Fanning <fa...@apache.org> on 2021/12/10 19:32:07 UTC
Log4J security issue
Hi,
POI 5.1.0 uses Log4J 2 for logging. There has been an important new
release of Log4J - version 2.15.0 - to mitigate a security issue. The
POI team recommends that users upgrade their Log4J dependency to use
the 2.15.0 release.
https://logging.apache.org/log4j/2.x/security.html
https://www.lunasec.io/docs/blog/log4j-zero-day/
The lunasec blog includes details of a 'temporary' setting you can use
to mitigate the issue (if you can't upgrade to log4j v2.15.0 yet).
Regards,
PJ
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@poi.apache.org
For additional commands, e-mail: user-help@poi.apache.org
Re: Log4J security issue
Posted by PJ Fanning <fa...@yahoo.com.INVALID>.
POI 5.1.0 and XMLBeans 5.0.2 (the latest releases of both) have dependencies on log4j-api 2.14.1. The security vulnerabilities are not in log4j-api - they are in log4j-core.
If any POI or XMLBeans user uses log4j-core to control their logging of their application, we strongly recommend that they upgrade to all their log4j dependencies to the latest version (currently v2.16.0) - including log4j-api.
On Friday 10 December 2021, 20:32:25 GMT+1, PJ Fanning <fa...@apache.org> wrote:
Hi,
POI 5.1.0 uses Log4J 2 for logging. There has been an important new
release of Log4J - version 2.15.0 - to mitigate a security issue. The
POI team recommends that users upgrade their Log4J dependency to use
the 2.15.0 release.
https://logging.apache.org/log4j/2.x/security.html
https://www.lunasec.io/docs/blog/log4j-zero-day/
The lunasec blog includes details of a 'temporary' setting you can use
to mitigate the issue (if you can't upgrade to log4j v2.15.0 yet).
Regards,
PJ
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@poi.apache.org
For additional commands, e-mail: user-help@poi.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@poi.apache.org
For additional commands, e-mail: user-help@poi.apache.org
Re: Log4J security issue
Posted by PJ Fanning <fa...@yahoo.com.INVALID>.
POI 5.1.0 and XMLBeans 5.0.2 (the latest releases of both) have dependencies on log4j-api 2.14.1. The security vulnerabilities are not in log4j-api - they are in log4j-core.
If any POI or XMLBeans user uses log4j-core to control their logging of their application, we strongly recommend that they upgrade to all their log4j dependencies to the latest version (currently v2.16.0) - including log4j-api.
On Friday 10 December 2021, 20:32:25 GMT+1, PJ Fanning <fa...@apache.org> wrote:
Hi,
POI 5.1.0 uses Log4J 2 for logging. There has been an important new
release of Log4J - version 2.15.0 - to mitigate a security issue. The
POI team recommends that users upgrade their Log4J dependency to use
the 2.15.0 release.
https://logging.apache.org/log4j/2.x/security.html
https://www.lunasec.io/docs/blog/log4j-zero-day/
The lunasec blog includes details of a 'temporary' setting you can use
to mitigate the issue (if you can't upgrade to log4j v2.15.0 yet).
Regards,
PJ
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@poi.apache.org
For additional commands, e-mail: user-help@poi.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org