Abhishek Patnaik opened MDEP-792 and commented
We are using Maven as a build tool for MuleSoft application using Jenkins.
As part of log4j2 vulnerability scan reports, the MuleSoft Jenkins build servers got listed.
We verified application Jar file not referring these older versions of log4j.
Below are the findings when we use 3.6.3 and 3.8.4 versions of maven.
Before running the build, we have already clean-up the /tmp & /.m2.
| |Maven 3.6.3|After upgrade Maven 3.8.4|
|log4j|2.11.2
2.13.1
2.17.1
2.9.1|2.11.2
2.13.1
2.17.1
2.9.1|
|log4j-1.2-api|2.13.1|2.13.1|
|log4j-api|2.13.1
2.17.1
2.9.1|2.13.1
2.17.1
2.9.1|
|log4j-core|2.13.1
2.17.1
2.9.1|2.13.1
2.17.1
2.9.1|
|log4j-slf4j-impl|2.11.2
2.13.1
2.9.1|2.11.2
2.13.1
2.9.1|
Attachments:
Abhishek Patnaik opened MDEP-792 and commented
We are using Maven as a build tool for MuleSoft application using Jenkins.
As part of log4j2 vulnerability scan reports, the MuleSoft Jenkins build servers got listed.
We verified application Jar file not referring these older versions of log4j.
Below are the findings when we use 3.6.3 and 3.8.4 versions of maven.
Before running the build, we have already clean-up the /tmp & /.m2.
| |Maven 3.6.3|After upgrade Maven 3.8.4|
|log4j|2.11.2
2.13.1
2.17.1
2.9.1|2.11.2
2.13.1
2.17.1
2.9.1|
|log4j-1.2-api|2.13.1|2.13.1|
|log4j-api|2.13.1
2.17.1
2.9.1|2.13.1
2.17.1
2.9.1|
|log4j-core|2.13.1
2.17.1
2.9.1|2.13.1
2.17.1
2.9.1|
|log4j-slf4j-impl|2.11.2
2.13.1
2.9.1|2.11.2
2.13.1
2.9.1|
Attachments: