On Log4j security vulnerability

Hello everyone,

The disastrous security vulnerability has been found recently: Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package | LunaSec

Jmix framework, as well as CUBA, does not use the Log4j library directly and does not bring it through transitive dependencies. If you run this command:

 ./gradlew dependencies | grep log4j

you may see the following dependencies, which are just interface adapters:


The vulnerability is located in the log4j-core. If you use dependencies other than the standard Jmix add-ons, they can potentially bring the vulnerable library, so better check the dependencies tree as shown above, or just look at the contents of the deployed application.

If you find log4j-core module in the dependencies, immediately upgrade your project to the latest version of Log4j. In a Jmix application, you can do it as follows:

dependencies {
    // ...