Hello everyone,
The disastrous security vulnerability has been found recently: Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package | LunaSec
CUBA platform, as well as Jmix, does not use the Log4j library directly and does not bring it through transitive dependencies. If you run this command:
./gradlew :app-core:dependencies | grep log4j
./gradlew :app-web:dependencies | grep log4j
you may see only the interface adapter:
org.slf4j:log4j-over-slf4j:1.7.29
The vulnerability is located in the log4j-core of library version 2. If you use dependencies other than the standard CUBA add-ons, they can potentially bring the vulnerable library, so better check the dependencies tree as shown above, or just look at the contents of the deployed application.
If you find log4j-core module of version between 2.0 and 2.14.1 in the dependencies, immediately upgrade your project to the latest version of Log4j. In a CUBA application, you can do it by specifying the dependency with the required version in build.gradle, for example:
configure(globalModule) {
dependencies {
implementation 'org.apache.logging.log4j:log4j-1.2-api:2.15.0'
implementation 'org.apache.logging.log4j:log4j-to-slf4j:2.15.0'
implementation 'org.apache.logging.log4j:log4j-1.2-core:2.15.0'
// ...
Regards,
Konstantin