Update or replace log4j due to CVE-2021-44228

Question

Update or replace log4j due to CVE-2021-44228

soxguy opened this issue 3 years ago · 2 comments

soxguy commented 3 years ago

Why?

Zero-day exploit in certain versions of log4j, including the 2.0-beta-9 version being used in DiscordSRV 1.24.0

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

What and How?

log4j dependency should be updated to 2.15.0

Are there alternatives?

Replace log4j dependency with another logging framework altogether.

Checks

I have used the search at least once to check if my idea has already been suggested and perhaps already implemented.

Anything else

No response

Scarsz · Answer 1 · 2021-12-10T21:33:36.000Z

The log4j dependency that DiscordSRV uses is provided by the server. DiscordSRV has it as a compilation dependency only because we have a couple things that interface with it. Log4j itself isn't packaged with the plugin.

MJRLegends · Answer 2 · 2021-12-11T04:13:11.000Z

I can confirm its not shipped in the plugin jar, i did a whole audit of my servers plugins for this reason. And nothing was found.

Thank you for confirming also. 👍

Share to

Why?

What and How?

Are there alternatives?

Checks

Anything else