Log4Shell

[sandorvasas]

We use your library in our project and have been worrying about the newly detected zero-day vulnerability of Log4j. see: https://www.lunasec.io/docs/blog/log4j-zero-day/

I see that the log4j lib you use is 1.xxx. Used directly by the project and it's also a dependency of slf4j. log4j 1.xxx doesn't appear among the list of vulnerable versions, but it is also not maintained anymore, so it's worrying that potentially there may be high-risk security issues with it.

I tried upgrading log4j and compiling your project, but encountered lots of errors mainly related to dependencies being deprecated by now. It seems i'd need to upgrade a lot more than just log4j and slf4j in order to be able to recompile it.

Question: do you have plans to upgrade log4j to patch the security issue? Or are you sure that this log4j version is not affected by log4shell?

Many thanks