Any plans to upgrade log4j to a supported version?

Question

There is a blog post dated December 2021 indicating openLCA is not impacted by the log4j 2.x vulnerabilies. However, log4j 1.x hasn't been supported since August of 2015 and has many know significant vulnerabilities as well. An answer here or in another blog post commenting on the vulnerability of log4j 1.x within your code/implementation would be much appreciated.

Answer 1

Well, we do not use log4j at all any more in version 2 of openLCA, thus no plans to upgrade to a supported version? Or am I not getting your question?

Comments

That answers the questions perfectly. I didn't realize we weren't using the latest. My security scanner was just reporting that the installed version had vulnerable log4j. Thanks!

---

Can you advise for this file path? We upgraded the user to V2

C:\Program Files (x86)\openLCA\plugins\olca-app_1.11.0\libs\log4j-1.2.17.jar

---

Yes that is for the old 1.11 version. Uninstall this version befoe installing version 2.