Is Log4j CVE-2021-44228 a problem here?

Rimbalza 4 years ago

As per subject, is there some dependency on Log4j and there is a new build/config suggestion to eliminate the problem?
Thanks

Track-trace 4 years ago

You didn't read the forum ?

https://www.traccar.org/forums/topic/traccar-server-affected-by-log4j-security-issue/

Rimbalza 4 years ago

With no find function and no refs to CVE-2021-44228 in the first page I didn't noticed. Sorry to steal your life 30 seconds.

Track-trace 4 years ago

Dont worry about it. Here is the find function https://www.traccar.org/search/

Anton Tananaev 4 years ago

Very old versions used to use log4j, but if you are using a more recent one, you should be fine. A bit more info on specific version numbers:

https://github.com/traccar/traccar/issues/4782

snoopy 4 years ago

Note for users who are still on older versions: Traccar v3.16 still has log4j v1.2.17. However, log4j versions 1.x are only affected, if the logging config file was specifically modified to perform JDNI lookups. See http://slf4j.org/log4shell.html for details.

Anton Tananaev 4 years ago

Basically no versions of Traccar are affected.

snoopy 4 years ago

Do you mean that Traccar's logging config by default does not have JNDI enabled?

Anton Tananaev 4 years ago

Correct. We never enable JMSAppender.