log4j vulnerability

[bepe1965]

Hi

I am not technical expert - but noted that there is reference to LOG4J in the code.

Just wanted to ask if there is any risk regarding the log4j vulnerability that have been exposed ?

Can it be confirmed that this do not apply to the snow-import-plugin ?

Thanks in advance.

[herve91]

Hi,
My plugins effectively do use Log4J to generate their log files.
Nevertheless, the vulnerability concerns Log4J release 2 but I am using Log4J release 1.
So I confirm that none of my plugins are concerned by the vulnerability.
Best regards

[bepe1965]

Hi Herve91

thanks you for your quick reply.

I asked one of our security experts - and he came back with the following answer:

I can see that log4j-1.2.17.jar is being used - and this is vulnarable (See the link below)
https://www.cvedetails.com/cve/CVE-2019-17571/

He adviced against using this version.

Do you have any plans to update to the latest version - or perhaps advice on if the above version is safe to use in this context.

Thanks in advance.

[herve91]

You might have been clearer in your first post ;)

I was refering to the exploit that has been released last December (https://www.cvedetails.com/cve/CVE-2021-44228) that does not concern Log4J release 1.

This said, I'm using an old version of Log4J but that has got few advantages: it is simple to configure and to use and I unfortunately do not have time to replace it soon.

But as my plugins are open sources, please do not hesitate to contribute. You may do it yourself or ask your dev team to do it ;)

Best regards