logbook icon indicating copy to clipboard operation
logbook copied to clipboard

Published 20 hours ago verified publisher icon zalando

Log4J Vulnerability

Open sdiemert opened this issue 3 years ago • 1 comments

Given the dramatic Log4J vulnerability over the last few days, I had two questions:

  1. Does Logbook depend on Log4J in anyway? (I think not, but always worth asking...)

  2. Does the same vulnerability exist in Logbook?

Sorry if this is a silly issue. Feel free to close promptly if this isn't a concern.

sdiemert avatar Dec 14 '21 02:12 sdiemert

Logbook relies on slf4j as its logging abstraction. We may use log4j for some tests, but then the dependencies are scoped to test.

Having said that, users of Logbook that happen to use log4j as their logging facility of choice should be very diligent. The very nature of logbook makes users rather susceptible to the vulnerability, since most if not all user supplied inputs are being logged.

whiskeysierra avatar Dec 14 '21 08:12 whiskeysierra

In order to prioritize the support for Logbook, we would like to check whether the old issues are still relevant. This issue has not been updated for over a year.

  • Please check if it is still relevant in latest version of the Logbook.
  • If so, please add a descriptive comment to keep the issue open.
  • Otherwise, the issue will automatically be closed after a week.

github-actions[bot] avatar Jul 14 '23 15:07 github-actions[bot]

This issue has automatically been closed due to no activities. If the issue still exists in the latest version of the Logbook, please feel free to re-open it.

github-actions[bot] avatar Jul 24 '23 01:07 github-actions[bot]