CVE-2021-44228 + slf4j + 普通日志
[英]CVE-2021-44228 + slf4j + common-logging
问题描述
I am using slf4j in my project with the following:
我在我的项目中使用 slf4j 具有以下功能:
implementation "org.slf4j:slf4j-api:${versions.slf4japi}" (1.7.32)
implementation "org.slf4j:slf4j-simple:${versions.slf4jsimple}" (1.7.32)
I am really confused because I don't have the log4j-1.2.17.jar in my project but in common-logging I have this dependency:我真的很困惑,因为我的项目中没有 log4j-1.2.17.jar 但在 common-logging 我有这个依赖:
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.17</version>
<optional>true</optional>
</dependency>
I am aware that they made a statement and I am nearly kind of sure that my project is concerned and I don't know how I can fix it !我知道他们发表了声明,我几乎可以肯定我的项目受到关注,我不知道如何解决它! Any help will be appreciated任何帮助将不胜感激
1 个解决方案
解决方案1
0 2021-12-16 01:15:11
First of all, as mentioned in the SLF4J post you have linked, Log4j 1 is not affected by CVE-2021-44228 (but is end of life and affected by other vulnerabilities).首先,正如您链接的 SLF4J 帖子中所述,Log4j 1 不受 CVE-2021-44228 的影响(但生命周期结束并受其他漏洞影响)。 Additionally it is marked as optional dependency so by default not included when you depend on common-logging, see the POM Reference and Introduction to the Dependency Mechanism , which mentions this as well:此外,它被标记为可选依赖项,因此默认情况下,当您依赖 common-logging 时不包括在内,请参阅POM Reference和Introduction to the Dependency Mechanism ,其中也提到了这一点:
It may be helpful to think of optional dependencies as "excluded by default."
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.