Hi Marc,
I was waiting for that question ;)
All fine, BaseX uses a custom logger, as well as Jetty does [1,2].
You may need to check your setup, though, if you use Tomcat as web server or any additional search index applications like Solr or Elasticsearch. ES is only susceptible to information leak, not remote code execution [3].
Hope this helps, Christian
[1] https://docs.basex.org/wiki/Logging [2] https://docs.huihoo.com/jetty/the-definitive-reference/configuring-logging.h... [3] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnera...
On Mon, Dec 13, 2021 at 4:11 PM Marc Coenegracht marc@crosseyed.nl wrote:
Does Basex (9.x or 8.x) use Log4j in any of its components? If not, should one still worry about the JRE?
Regards, Marc