Issue cleared with latest version of log4j.

Was able to deploy lo4j version 2. Refer to the following URL for version 2 to 1 compatibility.

https://logging.apache.org/log4j/2.x/manual/compatibility.html

The following dependency was added to the POM file.

<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-1.2-api</artifactId>
<version>2.14.1</version>
</dependency>

Awaiting latest scan results to determine if this clears the issue.

I was able to update to the latest version of log4j 2.14.1. I appears to work. The following dependencies were added to my POM file.

<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.14.1</version>
</dependency>

<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.14.1</version>
</dependency>

Next application scan will determine if the issue is resolved.

Log4J has high vulnerabilities reported. Is there any way to use jtapi version 8.1.3 without the Log4j dependency. Currently a security scan has flagged my project and I am required to resolve the security issue.

https://nvd.nist.gov/vuln/detail/CVE-2019-17571

Arbitrary Code Execution: log4j-core is vulnerable to arbitrary code execution. Deserialization of untrusted data in `TcpSocketServer` and `UdpSocketServer` when listening for log data allows an attacker to execute arbitrary code via a malicious deserialization gadget.


Thank You,

Joseph