Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info

Update 13/12 2021:

While the issue is mitigated in Apache Log4J2 version 2.15.0 by disabling the feature by default that does not remove the vulnerability itself.
It looks like Apache is working on a new version; 2.16.0 that removes this “feature” completely. See https://issues.apache.org/jira/projects/LOG4J2/issues/LOG4J2-3211

Everyone using Log4J2 should prepare to update to that when released.

Update 14/12 2021:
Log4J2 Version 2.16.0 is now released, removing lookups entirely.

How Ceptor can help

Ceptor fortunately does not use Log4J2, but instead SLF4J/Logback, (and Log4J v1.x if configured to do so) so it is not affected.

...