Log4j CVE-2021-45046 advice
Posted: Thu Dec 16, 2021 12:20 pmThis post is about the Log4j vulnerability recorded at
https://cve.mitre.org/cgi-bin/cvename.c ... 2021-45046
You should determine whether your application is using log4j, and if so, address the documented risk.
By way of background, in v3 of Nov 2013, docx4j switched from log4j to slf4j. This means that for docx4j 3.0 onwards, the choice of logging implementation has been up to you: you could choose to use log4j, or eg logback instead.
For Maven users, https://github.com/plutext/docx4j/blob/ ... om.xml#L67 shows how to use logback or log4j
(The docx4j zip distributions have shipped with both log4j and logback, so you could select the one you wanted)
How to check your application
If you are using maven, you can run mvn dependency:tree on your pom.xml, and look for log4j
Alternatively, you can look at the jars you have deployed, and look for log4j
If you are using log4j, follow the instructions at https://logging.apache.org/log4j/2.x/security.html or consider logback instead.
If you switch to logback, a config file may be found at https://github.com/plutext/docx4j/blob/ ... ogback.xml
https://cve.mitre.org/cgi-bin/cvename.c ... 2021-45046
You should determine whether your application is using log4j, and if so, address the documented risk.
By way of background, in v3 of Nov 2013, docx4j switched from log4j to slf4j. This means that for docx4j 3.0 onwards, the choice of logging implementation has been up to you: you could choose to use log4j, or eg logback instead.
For Maven users, https://github.com/plutext/docx4j/blob/ ... om.xml#L67 shows how to use logback or log4j
(The docx4j zip distributions have shipped with both log4j and logback, so you could select the one you wanted)
How to check your application
If you are using maven, you can run mvn dependency:tree on your pom.xml, and look for log4j
Alternatively, you can look at the jars you have deployed, and look for log4j
If you are using log4j, follow the instructions at https://logging.apache.org/log4j/2.x/security.html or consider logback instead.
If you switch to logback, a config file may be found at https://github.com/plutext/docx4j/blob/ ... ogback.xml