(no) log4j vulnerability

52 views
Skip to first unread message

Yannick Marcon

unread,
Dec 13, 2021, 11:00:50 AM12/13/21
to obiba...@googlegroups.com
Hi,

For those who are wondering whether the vulnerability issue CVE-2021-44228 affects OBiBa applications, the answer is no because logback has been used in place of log4j since 2013.

If there are still log4j libs that appear in the distributed packages (mica, agate, rock), these are coming from third party dependencies and are not being used. These dependencies have now been explicitly removed from the packaging process for clarity; future releases of rock, mica and agate will integrate this patch.

Regards
Yannick

Dmitry Kuznetsov

unread,
Dec 17, 2021, 4:16:53 AM12/17/21
to obiba-users
Hi Yannick, 

Am I right that rserver [required by OPAL] uses this library:
/usr/share/rserver-admin-1.6.0/lib/log4j-over-slf4j-1.7.6.jar
?

thanks for clarification,
Dmitry.

Yannick Marcon

unread,
Dec 17, 2021, 4:31:26 AM12/17/21
to obiba...@googlegroups.com
rserver-admin has been deprecated and replaced by rock since March 2021.

Anyway, this sl4j/log4j bridge library is not used, as logback is the logging system of this application.

Yannick


--
You received this message because you are subscribed to the Google Groups "obiba-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to obiba-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/obiba-users/bbfad384-1768-4007-99ee-9995b6f8c645n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages