Is Log4j CVE-2021-44228 a problem here?

Rimbalza3 years ago

As per subject, is there some dependency on Log4j and there is a new build/config suggestion to eliminate the problem?
Thanks

Track-trace3 years ago

You didn't read the forum ?

https://www.traccar.org/forums/topic/traccar-server-affected-by-log4j-security-issue/

Rimbalza3 years ago

With no find function and no refs to CVE-2021-44228 in the first page I didn't noticed. Sorry to steal your life 30 seconds.

Track-trace3 years ago

Dont worry about it. Here is the find function https://www.traccar.org/search/

Anton Tananaev3 years ago

Very old versions used to use log4j, but if you are using a more recent one, you should be fine. A bit more info on specific version numbers:

https://github.com/traccar/traccar/issues/4782

snoopy3 years ago

Note for users who are still on older versions: Traccar v3.16 still has log4j v1.2.17. However, log4j versions 1.x are only affected, if the logging config file was specifically modified to perform JDNI lookups. See http://slf4j.org/log4shell.html for details.

Anton Tananaev3 years ago

Basically no versions of Traccar are affected.

snoopy3 years ago

Do you mean that Traccar's logging config by default does not have JNDI enabled?

Anton Tananaev3 years ago

Correct. We never enable JMSAppender.