SikuliX

High-risk vulnerability in Log4j 2.x --- not used with SikuliX

Asked by Kunal Gajbhiye

------------------- information

In some dependency of SikuliX log4j is mentioned as a dependency, but the version is 1.2.17.

Since the vulnerable version is log4j 2.x, it is correct, that SikuliX neither uses nor depends on the vulnerable log4j.

hence nothing to do with respect to SikuliX.

-------------------------------------------------------------------

High-risk vulnerability in Log4j which is being used in sikulixapi 2.0.5 package.

Do we have any solution on this or we are safe to use the Sikuli version 2.0.5 ?

For reference please check the url - https://www.veracode.com/blog/security-news/urgent-analysis-and-remediation-guidance-log4j-zero-day-rce-cve-2021-44228

Requesting to provide the solution as soon as possible.

Question information

Language:
English Edit question
Status:
Solved
For:
SikuliX Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Manfred Hampl (m-hampl) said : 		#1

This has already been answered
see https://answers.launchpad.net/sikuli/+question/699854
and https://answers.launchpad.net/sikuli/+question/699867

Revision history for this message
Chetan (cshamdas) said : 		#2

as per latest updates
A high severity vulnerability (CVE-2021-44228) impacting multiple versions of the Apache Log4j 2 utility was disclosed publicly via the project’s GitHub on December 9, 2021. This vulnerability, which was discovered by Chen Zhaojun of Alibaba Cloud Security Team, impacts Apache Log4j 2 versions 2.0 to 2.14.1. There are reports from Log4j maintainers that the 1.x series may also vulnerable to this issue when using the JMS Appender class.

Revision history for this message
Kunal Gajbhiye (kunalgajbhiye-3ds) said : 		#3

Hi,

I am using sikulixapi-2.0.5.jar wherein I can see that log4j is being used which is of 1.2.17 version.
So i just want to know whether log4j vulnerability issue will impact or not?
I have gone thru above answered question but still i am not getting clarity from it so please assist me.

Revision history for this message
Launchpad Janitor (janitor) said : 		#4

This question was expired because it remained in the 'Open' state without activity for the last 15 days.

Revision history for this message
RaiMan (raimund-hocke) said : 		#5

definitely no problems with SikuliX