Home > Software design >  Gradle dependency (org.apache.commons ) is also effected by current log4j vulnerability or not?
Gradle dependency (org.apache.commons ) is also effected by current log4j vulnerability or not?

Time:12-12

Currently a vulnerability in the Log4j logging framework is happened. But in our project we are not using log4j dependency directly. We are using log4j via org.apache.common.....So question is it will be affected or not.

CodePudding user response:

When using Apache Commons Logging, you still have to provide a specific logging system for Apache Commons Logging to use. If that specific system happens to be Log4j (either provided explicitly or implicitly because it's the primary default of Apache Commons Logging), you should assume that your project is affected by the vulnerability and update your log4j dependency to a patched version or use a different logging system.

CodePudding user response:

Check if the classpath contains class JndiLookup or not. As suggested from this article

Substitute a non-vulnerable or empty implementation of the class org.apache.logging.log4j.core.lookup.JndiLookup, in a way that your classloader uses your replacement instead of the vulnerable version of the class. Refer to your application's or stack's classloading documentation to understand this behavior.

  • Related