Update Log4j 1.2 to 2.3.2 #354

rohan2001 · 2023-03-24T11:45:50Z

No description provided.

rohan2001 · 2023-03-24T11:46:38Z

We see Log4j 1.x is used which is causing tf to be vulnerable. Is there way to mitigate this

UmmerS · 2023-10-03T08:07:34Z

We see Log4j 1.x is used which is causing tf to be vulnerable. Is there way to mitigate this

@rohan2001 have you got any solution for this issue.

rohan2001 · 2023-10-03T08:26:01Z

@UmmerS I havent got the solution yet.
Do let me know if there is any alternative available

UmmerS · 2023-10-03T11:09:26Z

@eric-milles please update log4j for latest version and release new version 14.138.0
Many are facing this issue
Thanks in advance.

UmmerS · 2023-10-09T10:41:19Z

@eric-milles
Thanks for update to log4j-1.2.17.jar
But log4j-1.2.17.jar is also vulnerable need to migrate to Log4j v2

eric-milles · 2023-10-09T15:00:42Z

@UmmerS It is a work in progress. Log4j 2 is not a drop-in replacement since Team Explorer extends FileAppender and uses DOMConfigurator and PropertyConfigurator. https://logging.apache.org/log4j/2.x/manual/migration.html#limitations-of-the-log4j-1-x-bridge

rohan2001 · 2023-10-10T16:30:04Z

@UmmerS @eric-milles what is the fix. New version released?

rohan2001 · 2023-10-10T16:30:32Z

@UmmerS @eric-milles Steps to mitigate vulnerability

eric-milles · 2023-10-10T17:11:15Z

a release is coming shortly

eric-milles added a commit that referenced this issue Oct 6, 2023

log4j 1.2.17

eea2f79

for #348 #351 #354

eric-milles self-assigned this Oct 6, 2023

eric-milles added the enhancement label Oct 6, 2023

eric-milles changed the title ~~How remove Log4J 1.2.x Jar vulnerability on Team Explorer version 14.137.0~~ Update Log4j 1.2 to 2.3.2 Oct 9, 2023

eric-milles added a commit that referenced this issue Oct 10, 2023

log4j 2.3.2

6bbe80e

for #351 #354

eric-milles closed this as completed Oct 10, 2023

Provide feedback