mybatis / mybatis-migration project status related to log4shell CVE-2021-44228
69 views
Skip to first unread message
Luc Chauvin
Dec 13, 2021, 5:10:52 AM12/13/21
to mybatis-user
Hi,
Has anyone evaluated the impact of the log4shell flaw on mybatis & mybatis-migration?
(CVE-2021-44228)
Regards
luc
Has anyone evaluated the impact of the log4shell flaw on mybatis & mybatis-migration?
(CVE-2021-44228)
Regards
luc
Luc Chauvin
Dec 13, 2021, 7:29:46 AM12/13/21
to mybati...@googlegroups.com
MyBatis 3.5.8, released yesterday include a "Bump log4j-core from 2.14.1 to 2.15.0"
https://github.com/mybatis/mybatis-3/pull/2398
https://github.com/mybatis/mybatis-3/pull/2398
--
You received this message because you are subscribed to the Google Groups "mybatis-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mybatis-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/mybatis-user/9e891002-7d46-46f0-8acd-a55504339b65n%40googlegroups.com.
Iwao AVE!
Dec 13, 2021, 8:29:46 AM12/13/21
to mybatis-user
Hello Luc,
MyBatis-Migrations does not use Log4J (or any other logging library).
MyBatis (core) supports several logging implementations.
If you are using LOG4J2 as the logging implementation, you should upgrade Log4J to version 2.15.0.
Just to be clear, MyBatis version is irrelevant because Log4J2 is an optional dependency [1].
If you cannot upgrade Log4J for some reason, there seem to be workarounds.
As I may not be able to provide accurate information, please search for it yourself.
Regards,
Iwao
[1] https://maven.apache.org/guides/introduction/introduction-to-optional-and-excludes-dependencies.html
--
Luc Chauvin
Dec 13, 2021, 9:13:48 AM12/13/21
to mybati...@googlegroups.com
Hello Iwao,
Thank you for the clarification: we had come to this conclusion.
Now it is validated by an authorized person ;-)
Thank you for the clarification: we had come to this conclusion.
Now it is validated by an authorized person ;-)
To view this discussion on the web visit https://groups.google.com/d/msgid/mybatis-user/CA%2Buep2QFuws6suP2jHNA4VOcxWV0KhUAig5DrT9itQqNU2sijw%40mail.gmail.com.
John Somers
Dec 20, 2021, 4:16:34 AM12/20/21
to mybatis-user
Hi Iwao,
is there an update in the works to replace the log4j 2.15.0 with 2.17 ?
Thanks
John.
Iwao AVE!
Dec 20, 2021, 6:20:36 AM12/20/21
to mybatis-user
Hello John,
The PR that updates Log4J2 dependency is already merged, but it is irrelevant to your project because its scope is 'optional'.
Regardless of the MyBatis version you are using, you can (and have to) update the Log4J2 version in _your_ pom.xml.
Please let me know if you need further clarification.
Regards,
Iwao
Reply all
Reply to author
Forward
0 new messages