Menu
▾
▴
Re: [Cs-studio-core] CS-Studio + CSS Epics and Log4j
|
From: Kasemir, K. <kas...@or...> - 2022-02-23 14:13:05
|
> I would like to inquire whether the software "Control System Studio" and "CSS-Epics" are affected by the Log4j vulnerability known since December 2021. None of our code calls log4j or directly requires it. For the SNS product, log4j is not required. We encourage that all CS-Studio/Phoebus code logs via the basic java.util.logging mechanism, https://github.com/ControlSystemStudio/phoebus/pull/1031/files That's the idea. In reality, we depend on other libraries, some of which come with configurable logging mechanisms. It's certainly possible to build a product that includes log4j, routes all the java-util-logging calls to log4j, which then sends them to slf4j and so on. In the end, you need to check your site-specific product. Does it include a *log4j*.jar file? If you delete that, will it still run? -Kay |
