Afaik we are not using the native log4j library. I think the vulnerability is only in the actual log4j.jar file.
log4j-over-slf4j is merely a bridge that mimics log4j APIs in order to redirect the log stream into slf4j without rewriting the existing log4j logging statements. The bridge ensures old dependencies that have not been migrated to SLF4J can work with Openmeetings. So OpenMeetings is not using or distributing the native log4j JAR library. Also the Tomat version we are using that bundles OpenMeetings into a Java Servlet Container is not affected since it's not using the native log4j jar file. So as far as I can see this vulnerability should not impact OpenMeetings. However OpenMeetings regularly ships updates with the latest libraries and dependencies, so if you are not using the latest version, you should update. There have been other CVE's fixed in recent versions. Thanks Sebastian Sebastian Wagner Director Arrakeen Solutions, OM-Hosting.com http://arrakeen-solutions.co.nz/ https://om-hosting.com - Cloud & Server Hosting for HTML5 Video-Conferencing OpenMeetings <https://www.youracclaim.com/badges/da4e8828-743d-4968-af6f-49033f10d60a/public_url> <https://www.youracclaim.com/badges/b7e709c6-aa87-4b02-9faf-099038475e36/public_url> On Mon, 13 Dec 2021 at 07:29, Thomas Scholzen <tschol...@buche17.de> wrote: > Openmeetings has, among others, the following dependencies: > > log4j-over-slf4j-1.7.32.jar > slf4j-api-1.7.32.jar > jcl-over-slf4j-1.7.32.jar > > Does anyone know, whether these are affected by the log4j vulnerability > CVE-2021-44228 and have to be updated? > > Thanks, > Thomas >
