Page 1 of 1

Log4j CVE-2021-45046 advice

PostPosted: Thu Dec 16, 2021 12:20 pm
by jason
This post is about the Log4j vulnerability recorded at ... 2021-45046

You should determine whether your application is using log4j, and if so, address the documented risk.

By way of background, in v3 of Nov 2013, docx4j switched from log4j to slf4j. This means that for docx4j 3.0 onwards, the choice of logging implementation has been up to you: you could choose to use log4j, or eg logback instead.

For Maven users, ... om.xml#L67 shows how to use logback or log4j

(The docx4j zip distributions have shipped with both log4j and logback, so you could select the one you wanted)

How to check your application

If you are using maven, you can run mvn dependency:tree on your pom.xml, and look for log4j

Alternatively, you can look at the jars you have deployed, and look for log4j

If you are using log4j, follow the instructions at or consider logback instead.

If you switch to logback, a config file may be found at ... ogback.xml