Details
-
Bug
-
Status: Closed
-
Critical
-
Resolution: Fixed
-
3.8.4
-
None
-
Windows 10. But I know how to make it work like Linux.
Description
I use maven to build a java war to a tomcat webapps directory. During this process, I've issued that I am not using log4j anywhere. Nevertheless, every time I build log4j appears in the .m2 directory. I walked dependencies trees and executed finds in a variety of directories and can't find the dependency. However, when I executed maven with verbose mode I found it. Apparently, the maven-compiler-plugin requires a old and vulnerable version of log4j. Worse yet, I believe Tomcat is using it dynamically without configuration by it's mere presence in the .m2 directory. Hence, a security scanner flagged my website as having the log4j vulnerability.