Impact of Log4j vulnerability on RMsis.
- Pritam Kumar
Question: Is RMSIS impacted by the problem of Log4J vulnerability?
Please note that RMsis uses sl4j (http://www.slf4j.org/ ) to generate the logs.
RMsis does not directly use Log4j.
It is there as a dependency of another third-party library.
Moreover, the version being used is Log4J 1.x.
Therefore we believe we are not directly affected by this issue.
Additionally, we will be upgrading the Log4j version to 2.16+ in RMsis, which will remove any risk whatsoever related to this vulnerability.
Please note that Log4j 2.x is affected by the recently found vulnerability (CVE-2021-45105).
However, Log4j 1.x is not impacted by this vulnerability.
See the following page for reference: https://logging.apache.org/log4j/2.x/security.html
Once the Log4j 2.x vulnerabilities are fixed and validated, we will be explicitly upgrading all dependencies of the Log4j.