Details
-
Type: Improvement
-
Status: Open
-
Priority: Major
-
Resolution: Unresolved
-
Affects Version/s: EE-3.3.0.GA, EE-4.3.0.GA
-
Fix Version/s: EE-3.3.0.GA_P10
-
Component/s: Project Templates, Release
-
Labels:None
-
Environment:ICEfaces EE
Description
The ICEfaces EE 3.3.0.GA and EE 4.3.0.GA bundles currently include references to the Apache log4j 1.x library.
This JIRA is to review log4j's usage in these bundles and remove if feasible to reduce exposure to any possible log4j exploit concerns.
This JIRA is to review log4j's usage in these bundles and remove if feasible to reduce exposure to any possible log4j exploit concerns.
ICEfaces EE 3.3.0.GA_P09
The log4j library is referenced in the following locations in the binary bundle:
ICEfaces EE 4.3.0.GA_P03
The log4j library is included in the icepush-ee/lib folder in the icefaces-ee-4.3.0.GA_P09-src.zip bundle only, and has the following manifest:
Name: org.apache.log4j Implementation-Title: log4j Implementation-Vendor: "Apache Software Foundation" Implementation-Version: 1.2.15
As it is used during development/debugging of icepush-ee only, the binary bundle has no references to it.