Ad

Is The Grails 3.3.2 Dependency On Tomcat-embed-logging-log4j-8.5.2.jar An Issue Due To Recent Log4j Vulnerabilities?

- 1 answer

I have 5 grails servers built on 3.3.2 and they all have this dependency:

+--- org.grails:grails-plugin-rest: -> 3.3.2
|    +--- org.grails:grails-plugin-datasource:3.3.2
|    |    \--- org.apache.tomcat.embed:tomcat-embed-logging-log4j:8.5.2
Ad

Answer

Is the Grails 3.3.2 dependency on tomcat-embed-logging-log4j-8.5.2.jar an issue due to recent log4j vulnerabilities?

No. Your app could still have a dependency on something that brings the vulnerability in, but tomcat-embed-logging-log4j-8.5.2.jar does not.

Ad
source: stackoverflow.com
Ad