[BUG] CVE-2017-5645 - upgrade org.apache.logging.log4j:log4j-core to version 2.8.2 or higher

[danielgrigg-skyfii]

Describe the bug See https://www.cve.org/CVERecord?id=CVE-2017-5645

To Reproduce See https://www.cve.org/CVERecord?id=CVE-2017-5645

Expected behavior Not be vulnerable to https://www.cve.org/CVERecord?id=CVE-2017-5645

Screenshots N/A

Code snippet N/A

Environment com.github.salesforce-marketingcloud:[email protected]

The bug has the severity

• [x ] Critical: The defect affects critical functionality or critical data. It does not have a workaround.
• [ ] Major: The defect affects major functionality or major data. It has a workaround but is not obvious and is difficult.
• [ ] Minor: The defect affects minor functionality or non-critical data. It has an easy workaround.
• [ ] Trivial: The defect does not affect functionality or data. It does not even need a workaround. It does not impact productivity or efficiency. It is merely an inconvenience.

Additional context

[zacthompson]

Inaccurate to say "It does not have a workaround": https://logging.apache.org/log4j/2.x/security.html#fixed-in-log4j-2-8-2-java-7

Java 6 users should avoid using the TCP or UDP socket server classes, or they can manually backport the security fix commit from 2.8.2.

Since this codebase only uses the Logger interface, there's nothing in here that would be directly affected by that CVE - users would have to be explicitly adding references in their own applications in order to get hit by the bug.

However, updating to a more recent version of log4j would eliminate the risk to users, at the small cost of dropping support for Java 6, which seems like a reasonable tradeoff in 2023.