Vulnerable log4j 1.2.x

[hkz-aarvesen]

Describe the bug

Log4j has a bad security vulneraility: CVE-2019-17571. Per the Apache site, the remediation is to upgrade to log4j 2 with the fix.

Both the 1.9.2 branch (which I use) and the main branch use the vulnerable library. Please upgrade to the latest version.

To Reproduce

1. Build code
2. Note that we see the old jar used
3. The pom.xml files specify an outdated version. For example, server/pom.xml:

        <dependency>
            <groupId>log4j</groupId>
            <artifactId>log4j</artifactId>
            <version>1.2.17</version>
        </dependency>

Expected behavior

Please upgrade to log4j 2.15 or later. Sadly, there are incompatibilities between versions.

Desktop (please complete the following information):
N/A

Smartphone (please complete the following information):
N/A

Additional context
-According to this page, one can also set a JVM property to avoid this.- Further digging looks like that is for log4j 2.10+, so not helpful here.

[hkz-aarvesen]

Okay - on further review, version 1.x is not vulnerable to this particular bug. It is however vulnerable to other bugs :)

Closig this issue now so that remains clear.

[jrivard]

see #628.

[sahil-sardana]

Hello @jrivard Can you please confirm if log4j-1.2.17.jar is vulnerable to CVE-2022-23305?

Can we migrate to log4j 2 following the below document:
https://logging.apache.org/log4j/2.x/manual/migration.html

[jrivard]

See #628