log4j vulnerability

[siim....@gmail.com]

Looks like latest  MailArchiva 8.4.1 is affected by the recent log4j vulnerability. 
https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Can we expect an update or a patch any time soon? Till then is there a workaround? 

[jamie]

The library may be present due to a dependency of a dependency, but the library is not in use. MailArchiva uses logback, not log4j. 

I hope this clarifies!

[siim....@gmail.com]

Cool. thank you for clearing this ;) 

[G. S. Nord]

I am using Mailarchiva 8 on Windows. I found the following files in C:\ProgramData\MailArchiva\Tomcat\webapps\ROOT\WEB-INF\lib

log4j-api-2.12.1.jar (276.771 Bytes) 10.3.2021
log4j-core-2.12.1.jar (1.674.433 Bytes) 10.3.2021
log4j-over-slf4j-1.7.32.jar (23.767 Bytes) 9.9.2021

I renamed them to *.ja_ and started Mailarchiva service. It seems running like normal, nothing special in the log files.

[Jamie]

I dont think its necessary because MailArchiva uses LOGBACK, however we will in any case, upgrade log4j lib to the patched version in the next release.

[Jamie]

As stated prior, we don't believe MailArchiva is vulnerable since we are using logback as our logging framework, although the log4j library is included with the build as a dependency of a dependency. As far as we can tell the lib is not used.  If you are worried about it download 8.4.2 from https://mailarchiva.com/downloads/ and upgrade. This version has log4j libraries excluded from the build altogether.