Reg. Codehaus Cargo and recently made public Log4J vulnerabilities

2 views
Skip to first unread message

S. Ali Tokmen

unread,
Dec 18, 2021, 2:24:13 PM12/18/21
to Codehaus Cargo
Dear Codehaus Cargo enthusiasts

Many of you must of read about the severe security issues discovered
recently with Log4J's 2.x versions, fixed with version 2.17.0, and must
have been spending quite some time identifying which of the software
components you use are vulnerable.

Codehaus Cargo, as described in the
https://codehaus-cargo.github.io/cargo/Installation.html page, does not
use Log4J directly; it rather relies on Apache Commons Logging - which,
so far, has not been detected as vulnerable. As a result, Codehaus Cargo
itself should not be vulnerable to CVE-2021-44228 nor other Log4J
specific vulnerabilities.

Nevertheless, if Log4J is present in your classpath, Apache Commons
Logging is very likely to bind to Log4J for the logging implementation.
It hence remains paramount that you check for the direct and indirect
references to Log4j in your software builds and execution environments.

Regards

--

S. Ali Tokmen
https://ali.tokmen.com/
https://contact.ali.tokmen.com/

Reply all
Reply to author
Forward
0 new messages