Skip to content

Commit 4442c2a

Browse files
JacquesLeRouxJacquesLeRoux
committed
Fixed: [SECURITY] CVE-2021-45105: Apache Log4j2 (OFBIZ-12470)
CVE-2021-45105: Apache Log4j2 versions 2.0-alpha1 through 2.16.0 does not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue is fixed in Log4j 2.17.0.: https://logging.apache.org/log4j/2.x/security.html
1 parent 8026241 commit 4442c2a

File tree

1 file changed

+6
-6
lines changed

1 file changed

+6
-6
lines changed

build.gradle

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -190,7 +190,7 @@ dependencies {
190190
compile 'org.apache.geronimo.components:geronimo-transaction:3.1.4'
191191
compile 'org.apache.geronimo.specs:geronimo-jms_1.1_spec:1.1.1'
192192
compile 'org.apache.httpcomponents:httpclient-cache:4.5.6'
193-
compile 'org.apache.logging.log4j:log4j-api:2.16.0' // the API of log4j 2
193+
compile 'org.apache.logging.log4j:log4j-api:2.17.0' // the API of log4j 2
194194
compile 'org.apache.poi:poi:3.17'
195195
compile 'org.apache.pdfbox:pdfbox:2.0.24'
196196
compile 'org.apache.shiro:shiro-core:1.4.0'
@@ -231,11 +231,11 @@ dependencies {
231231
runtime 'org.apache.axis2:axis2-transport-local:1.7.8'
232232
runtime 'org.apache.derby:derby:10.14.2.0'
233233
runtime 'org.apache.geronimo.specs:geronimo-jaxrpc_1.1_spec:1.1'
234-
runtime 'org.apache.logging.log4j:log4j-1.2-api:2.16.0' // for external jars using the old log4j1.2: routes logging to log4j 2
235-
runtime 'org.apache.logging.log4j:log4j-core:2.16.0' // the implementation of the log4j 2 API
236-
runtime 'org.apache.logging.log4j:log4j-jul:2.16.0' // for external jars using the java.util.logging: routes logging to log4j 2
237-
runtime 'org.apache.logging.log4j:log4j-slf4j-impl:2.16.0' // for external jars using slf4j: routes logging to log4j 2
238-
runtime 'org.apache.logging.log4j:log4j-jcl:2.16.0' // need to constrain to version to avoid classpath conflict (ReflectionUtil)
234+
runtime 'org.apache.logging.log4j:log4j-1.2-api:2.17.0' // for external jars using the old log4j1.2: routes logging to log4j 2
235+
runtime 'org.apache.logging.log4j:log4j-core:2.17.0' // the implementation of the log4j 2 API
236+
runtime 'org.apache.logging.log4j:log4j-jul:2.17.0' // for external jars using the java.util.logging: routes logging to log4j 2
237+
runtime 'org.apache.logging.log4j:log4j-slf4j-impl:2.17.0' // for external jars using slf4j: routes logging to log4j 2
238+
runtime 'org.apache.logging.log4j:log4j-jcl:2.17.0' // need to constrain to version to avoid classpath conflict (ReflectionUtil)
239239
runtime 'org.codeartisans.thirdparties.swing:batik-all:1.8pre-r1084380'
240240

241241
// plugin libs

0 commit comments

Comments
 (0)