JAL-3933: Use of log4j and mitigation of critical alert "Apache Log4j 2...
describe the "Log4Shell" vulnerability found in log4j versions 2.0beta9 through to all versions below 2.14.1.
Log4j is found in some jars that Jalview packages, though it is not certain yet which version or in what configuration these classes are used (possibly not at all).
cd j8lib; for x in *.jar; do G=$(unzip -t $x | grep org/apache/log4j | sed -e 's/^ *testing: //;s/ *OK$//;'); [ "$G" != "" ] && echo $x && echo – && for c in $G; do echo $c; done && echo ==; done > list
produces the attached list.
Proposed remediation: log4j is replaced with either fixed version or stripped out completely (if this does not break anything) and a 18.104.22.168 release is put on the release channel immediately.
Branches in review
Issues Raised From Comments