Is cerebro impacted by CVE-2021-44228 (Apache Log4j)?

[SnDsound]

Hi,

Is cerebro impacted by CVE-2021-44228 (Apache Log4j) vulnerability?
Is a possibility to pass "-Dlog4j2.formatMsgNoLookups=true" for java by environment variable in docker compose?

Regards,
Peter

[t-braune]

Hey Peter,

i am not a contributor nor a java developer, here is what my research come out with:

• Nothing with log4j in the repo (usually you would have some log4j configuration flying around): https://github.com/lmenezes/cerebro/search?q=log4j
• It makes use of logback fileAppender (which is not using log4j): https://github.com/lmenezes/cerebro/blob/main/conf/logback.xml#L5

I would say there is nothing to concern about but i am not a security expert.

Regards,
Tobi

[sebastien-helbert]

Hey Peter,

i am not a contributor nor a java developer, here is what my research come out with:

• Nothing with log4j in the repo (usually you would have some log4j configuration flying around): https://github.com/lmenezes/cerebro/search?q=log4j
• It makes use of logback fileAppender (which is not using log4j): https://github.com/lmenezes/cerebro/blob/main/conf/logback.xml#L5

I would say there is nothing to concern about but i am not a security expert.

Regards, Tobi

I confirm, this PR can be closed