Hello everyone,
The disastrous security vulnerability has been found recently: Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package | LunaSec
Jmix framework, as well as CUBA, does not use the Log4j library directly and does not bring it through transitive dependencies. If you run this command:
./gradlew dependencies | grep log4j
you may see the following dependencies, which are just interface adapters:
org.apache.logging.log4j:log4j-1.2-api:2.14.1
org.apache.logging.log4j:log4j-to-slf4j:2.14.1
The vulnerability is located in the log4j-core. If you use dependencies other than the standard Jmix add-ons, they can potentially bring the vulnerable library, so better check the dependencies tree as shown above, or just look at the contents of the deployed application.
If you find log4j-core module in the dependencies, immediately upgrade your project to the latest version of Log4j. In a Jmix application, you can do it as follows:
dependencies {
implementation(platform("org.apache.logging.log4j:log4j-bom:2.15.0"))
// ...
Regards,
Konstantin