Neo4j

mrj22 · ‎01-12-2022

Hey.
We are are wondering if there are any efforts under way for the mitigation of the Log4j CVE in the spatial plugin. Log4J is only used in a couple areas, but it is there. Is there a plan to remove it altogether or update to to the newer version of Log4J.
Thanks,
Michael

craig_taverner · ‎01-12-2022

Looking at the pom.xml file I see we depend on log4j 1.2.17. This is not affected by the CVE, at least according to the information at Log4j – Apache Log4j Security Vulnerabilities.

Log4j 1.x is not impacted by this vulnerability.

When I look at where it is used, it seems to be the GeoServer integration, and we would depend on the version used by the version of GeoServer. So if we port to a newer GeoServer, then we should make sure that the version of Log4j they use is not affected. But right now it does not seem to be a concern for the current version of the spatial library.

View solution in original post

craig_taverner · ‎01-12-2022

Looking at the pom.xml file I see we depend on log4j 1.2.17. This is not affected by the CVE, at least according to the information at Log4j – Apache Log4j Security Vulnerabilities.

Log4j 1.x is not impacted by this vulnerability.

When I look at where it is used, it seems to be the GeoServer integration, and we would depend on the version used by the version of GeoServer. So if we port to a newer GeoServer, then we should make sure that the version of Log4j they use is not affected. But right now it does not seem to be a concern for the current version of the spatial library.

mrj22 · ‎01-12-2022

Hey Craig.
Thanks so much for quick reply. Very glad to hear that it isn't a problem.
Michael

Neo4j

Mitigation of Log4J CVE in spatial plugin