POI 5.1.0 and XMLBeans 5.0.2 (the latest releases of both) have dependencies on log4j-api 2.14.1. The security vulnerabilities are not in log4j-api - they are in log4j-core.
If any POI or XMLBeans user uses log4j-core to control their logging of their application, we strongly recommend that they upgrade to all their log4j dependencies to the latest version (currently v2.16.0) - including log4j-api. On Friday 10 December 2021, 20:32:25 GMT+1, PJ Fanning <fannin...@apache.org> wrote: Hi, POI 5.1.0 uses Log4J 2 for logging. There has been an important new release of Log4J - version 2.15.0 - to mitigate a security issue. The POI team recommends that users upgrade their Log4J dependency to use the 2.15.0 release. https://logging.apache.org/log4j/2.x/security.html https://www.lunasec.io/docs/blog/log4j-zero-day/ The lunasec blog includes details of a 'temporary' setting you can use to mitigate the issue (if you can't upgrade to log4j v2.15.0 yet). Regards, PJ --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@poi.apache.org For additional commands, e-mail: user-h...@poi.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org For additional commands, e-mail: dev-h...@poi.apache.org
