SikuliX

Log4j 1.x vulnerability with Sikuli2.x ?

Asked by Maxime PARAT

Hello,

My company is requesting me to analyze a potential vulnerability issue with one of our Vendor framework based on SikuliX 2.0.
Can you please confirm there is any vulnerability with this Sikuli version regarding log4j 1.x ?
If yes, do you have any plan to fix it soon?

Thanks for your help!

Question information

Language:
English Edit question
Status:
Solved
For:
SikuliX Edit question
Assignee:
No assignee Edit question
Solved by:
RaiMan
Solved:
Last query:
Last reply:
Revision history for this message
Manfred Hampl (m-hampl) said : 		#1

This has already been answered in other questions:

https://answers.launchpad.net/sikuli/+question/699867
https://answers.launchpad.net/sikuli/+question/699868
https://answers.launchpad.net/sikuli/+question/699854

Revision history for this message
Manfred Hampl (m-hampl) said (last edit ): 		#2

Sorry, ignore my answer.
You are not referring to cve-2021-44228 for log4j 2.x, but to the vulnerabilities that have been reported for log4j 1.x CVE-2022-23302, -23305 or -23307
I cannot tell anything about these. I hope that RaiMan can help with it.

Revision history for this message
Maxime PARAT (maximeds) said : 		#3

Yes, I am asking for log4J 1.x (NOT log4j 2.x).

Revision history for this message
Best RaiMan (raimund-hocke) said : 		#4

Until version 2.0.5 log4J 1.x exists in SikuliX through the dependency chain tess4j -> gost4j -> log4j

Beginning with version 2.0.6 we use the latest version of Tess4J (5.1.1), which has replaced ghost4j with apache-pdfbox and hence no longer depends on any log4j.

Revision history for this message
Maxime PARAT (maximeds) said : 		#5

Thanks RaiMan, that solved my question.