Since early this morning (2021-12-10T06:19:15Z) we have been
investigating the potential impact on Vespa from the recently
discovered vulnerability in the log4j library
CVE-2021-44228.
Based on our investigations as well as guidance and analysis from our
security team, we currently do not believe that any published Vespa
version is vulnerable to this issue. Vespa does not include log4j
versions >= 2.0, nor any use of the vulnerable JMSAppender class
present in earlier versions of the library.
Your Vespa application may still be affected if log4j is included in
your application package, either directly or transitively! We believe
most uses of the library can be discovered by running the following
command in your application package Maven project root and inspecting
the output:
mvn dependency:tree
We will release a version of Vespa only including log4j >= 2.15 as
soon as all our dependencies have been updated.
Update: We have completely removed all use of log4j from Vespa since
version 7.520.3, released 2021-12-22.
Update 2: On Vespa Cloud,
we have enforced that user applications do not contain any log4j dependencies
older than version 2.17.1 since Vespa 7.528.38, released 2022-01-17.
