Hello,
I am writing to ask whether sFlow-RT is affected by the recent (severe) RCE vulnerability discovered in Log4j currently making headlines.
If not: Are there any preventative measures being taken to ensure sFlow-RT has no safety regressions? I'm imagining things like 1) setting the Java system property `
log4j2.formatMsgNoLookups` even in the absence of the library, if this is possible and makes sense, so that changes to sFlow-RT's dependency tree that bring in Log4j don't introduce the RCE; 2) setting the environment variable `LOG4J_FORMAT_MSG_NO_LOOKUPS` in the sFlow-RT Docker container(s); both of which are prescribed by this web page (under heading "
Fixed in Log4j 2.15.0"): https://logging.apache.org/log4j/2.x/security.html
If so: When we can expect patched versions of sFlow-RT (and hopefully an updated Docker image)? Once identified, a blog post to use as an absolute reference for which versions of sFlow-RT are vulnerable and which version is patched would be very helpful.
Thanks!