cancel
Showing results for 
Search instead for 
Did you mean: 

Mitigation of Log4J CVE in spatial plugin

mrj22
Node Link

Hey.
We are are wondering if there are any efforts under way for the mitigation of the Log4j CVE in the spatial plugin. Log4J is only used in a couple areas, but it is there. Is there a plan to remove it altogether or update to to the newer version of Log4J.
Thanks,
Michael

1 ACCEPTED SOLUTION

craig_taverner
Graph Buddy

Looking at the pom.xml file I see we depend on log4j 1.2.17. This is not affected by the CVE, at least according to the information at Log4j – Apache Log4j Security Vulnerabilities.

Log4j 1.x is not impacted by this vulnerability.

When I look at where it is used, it seems to be the GeoServer integration, and we would depend on the version used by the version of GeoServer. So if we port to a newer GeoServer, then we should make sure that the version of Log4j they use is not affected. But right now it does not seem to be a concern for the current version of the spatial library.

View solution in original post

2 REPLIES 2

craig_taverner
Graph Buddy

Looking at the pom.xml file I see we depend on log4j 1.2.17. This is not affected by the CVE, at least according to the information at Log4j – Apache Log4j Security Vulnerabilities.

Log4j 1.x is not impacted by this vulnerability.

When I look at where it is used, it seems to be the GeoServer integration, and we would depend on the version used by the version of GeoServer. So if we port to a newer GeoServer, then we should make sure that the version of Log4j they use is not affected. But right now it does not seem to be a concern for the current version of the spatial library.

Hey Craig.
Thanks so much for quick reply. Very glad to hear that it isn't a problem.
Michael