Re: [Wrapper-user] Log4J Vulnerability

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Nalini

Thank you for your email.

The Java Service Wrapper does not use log4j directly.
However, many Java applications use it as part of an application run within
the Wraper.
If your application uses log4j, then you would need to update it with the
fixed version or patch provided by Apache.
You can find more information on the page below:
https://logging.apache.org/log4j/2.x/security.html

Setting property "wrapper.java.command.loglevel=INFO" in the wrapper.conf
file lets you confirm the classpath passed to the JVM when starting your
application. Please first confirm whether or not log4j was added there.

Please note that it is also possible that log4j is loaded from the java
code, by other classloaders.
Applications such as Tomcat,Jetty, JBoss typically may include log4j in
their war files.
This should be checked with the developers of your application.

The Wrapper itself is not affected by this vulnerability (CVE-2021-44228).

If you have further questions, please let me know.

Cheers,
Leif

On Thu, Dec 16, 2021 at 2:01 AM nal...@in... <
nal...@in...> wrote:

> Is the Java Service Wrapper subject to the Log4J vulnerability if using
> the base logging?
>
> Thanks,
>
> Nalini Elkins
>