Log4J has high vulnerabilities reported. Is there any way to use jtapi version 8.1.3 without the Log4j dependency. Currently a security scan has flagged my project and I am required to resolve the security issue.

https://nvd.nist.gov/vuln/detail/CVE-2019-17571

Arbitrary Code Execution: log4j-core is vulnerable to arbitrary code execution. Deserialization of untrusted data in `TcpSocketServer` and `UdpSocketServer` when listening for log data allows an attacker to execute arbitrary code via a malicious deserialization gadget.


Thank You,

Joseph

I was able to update to the latest version of log4j 2.14.1. I appears to work. The following dependencies were added to my POM file.

<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.14.1</version>
</dependency>

<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.14.1</version>
</dependency>

Next application scan will determine if the issue is resolved.

The current plan is to upgrade the version of log4j in JTAPI and DMCC for AES 10.1, which is the next major release.

Martin

Was able to deploy lo4j version 2. Refer to the following URL for version 2 to 1 compatibility.

https://logging.apache.org/log4j/2.x/manual/compatibility.html

The following dependency was added to the POM file.

<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-1.2-api</artifactId>
<version>2.14.1</version>
</dependency>

Awaiting latest scan results to determine if this clears the issue.

Issue cleared with latest version of log4j.