Security advisory for JavaMelody

[Vernat Emeric]

Security advisory for JavaMelody

Most applications monitored by javamelody use either the dependency (jar file) javamelody-core or the dependency javamelody-spring-boot-starter. Both are not affected by the log4j CVE, because they do not include log4J and they do not declare a compile or runtime dependency on log4j. Other applications use a plugin for Jenkins or for JIRA/Confluence/Bamboo/Bitbucket or for Liferay or for Alfresco or for Sonar or for Grails. Those plugins are not affected for the same reason.

The optional javamelody collect server is sometimes used and it includes log4j, for which the recent security advisories were published (CVE-2021-44228 and CVE-2021-45046).
When the collect server is used, it is recommended to upgrade the collect server to the latest version 1.90.0, which includes the latest log4j 2.16.0.
You can find the version 1.90.0 of the collect server at https://github.com/javamelody/javamelody/releases/download/javamelody-core-1.90.0/javamelody-collector-server-1.90.0.war