Quarkus is NOT affected by Log4j remote code execution CVE but if you do use log4j please update! #22108
maxandersen
announced in
Announcements
Quarkus is NOT affected by Log4j remote code execution CVE but if you do use log4j please update!
#22108
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Quarkus is not using the log4j implementation that is behind the CVE-2021-4428 and thus not directly affected.
Quarkus uses a log manager that is optimized for speed:
If you just use Quarkus APIs you are not affected.
The issue is quite serious as it is trivial to exploit if your app does any kind of logging of text input coming from users.
Something you should not do, but is a common occurrence.
Therefore, if you do use log4j directly within your application (no matter if Quarkus or not) then please upgrade to Log4j version 2.15.0 as soon as possible.
If you cannot upgrade directly then at least run with
-Dlog4j2.formatMsgNoLookups=trueto disable the code that has the exploit.Again, this is not required if you use Quarkus only - this is just for general information as we know log4j is often used.
Thank you and Happy "upgrade-log4j" Friday!
Update 2021-12-15: Blog posted
Beta Was this translation helpful? Give feedback.
All reactions