log4j vulnerabilities

[recaph]

Is couchdb-lucene affected by any of the following vulnerabilities reported against log4j. And what are plans to fix them?

CVE-2022-23307 CVE-2021-44228 CVE-2021-45046 CVE-2021-4104 CVE-2019-17571 CVE-2022-23302 CVE-2022-23305 CVE-2020-9488 CVE-2021-44832 CVE-2021-45105

Due to recent critical vulnerabilities in the log4j libraries, our company has decided to move away from any software that uses vulnerable versions of log4j including the older 1.x versions due the following statement from Apache Log4j team:

Please note that Log4j 1.x has reached End of Life in 2015 and is no longer supported. Vulnerabilities reported after August 2015 against Log4j 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2 to obtain security fixes.

[htiwari1986]

Hi @rnewson, Is there any plan to fix the log4j vulnerabilities in couchdb-lucene?

pom.xml log4j dependency is 1.2.14

[rnewson]

Hi,

log4j 1.x is not vulnerable to any of the "Log4Shell" problems. As for the other CVE's they are if you choose to use certain features of log4j.

I don't have much time to spend on couchdb-lucene but I might look into this, and I'd be happy to review a patch.

The preferred fix is to switch to the latest version of Logback instead of log4j (https://logback.qos.ch/)

[rnewson]

log4j dependency removed on master branch.

[recaph]

@rnewson thats great.. are you expecting more changes on the master? And will the new changes be made available as a release?

[rnewson]

I'm not planning any development, just updating dependencies. I might cut a release once I've done some testing beyond just the test suite. If you want to try master and let me know if it works for you, that would really help.