0 votes
370 views
There is a blog post dated December 2021 indicating openLCA is not impacted by the log4j 2.x vulnerabilies. However, log4j 1.x hasn't been supported since August of 2015 and has many know significant vulnerabilities as well. An answer here or in another blog post commenting on the vulnerability of log4j 1.x within your code/implementation would be much appreciated.
in openLCA by (120 points)

1 Answer

0 votes
by (125k points)
Well, we do not use log4j at all any more in version 2 of openLCA, thus no plans to upgrade to a supported version? Or am I not getting your question?
by (120 points)
That answers the questions perfectly. I didn't realize we weren't using the latest. My security scanner was just reporting that the installed version had vulnerable log4j. Thanks!
by (100 points)
Can you advise for this file path? We upgraded the user to V2

C:\Program Files (x86)\openLCA\plugins\olca-app_1.11.0\libs\log4j-1.2.17.jar
by (125k points)
Yes that is for the old 1.11 version. Uninstall this version befoe installing version 2.
...