Vulnerable log4j JAR needs updating

[DavidSewell]

My university is rolling out the requirement to install the Qualys vulnerability checking agent on all systems connected to the network, and the first report on our Manifold host complained about the existence of /opt/manifold/embedded/elasticsearch/lib/log4j-core-2.11.1.jar, referencing this NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2021-44228 .

[zdavis]

We'll take a look. When this vulnerability came out, we checked our packages and confirmed that Manifold is not vulnerable. However, it does need to be updated, so we'll try to get this fixed in the 7.1 release.

[DavidSewell]

Thanks. I figured it wasn't an actual vulnerability, but the Qualys scan isn't smart enough to know whether a particular file is ever invoked, it just flags their existence. From: Zach Davis ***@***.***> Reply-To: ManifoldScholar/manifold-omnibus ***@***.***> Date: Monday, August 22, 2022 at 8:00 PM To: ManifoldScholar/manifold-omnibus ***@***.***> Cc: "Sewell, David R (drs2n)" ***@***.***>, Author ***@***.***> Subject: Re: [ManifoldScholar/manifold-omnibus] Vulnerable log4j JAR needs updating (Issue #82) We'll take a look. When this vulnerability came out, we checked our packages and confirmed that Manifold is not vulnerable. However, it does need to be updated, so we'll try to get this fixed in the 7.1 release. — Reply to this email directly, view it on GitHub<#82 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAPSUY4EBBK2363ZUFFNA4LV2QICXANCNFSM57JPLT6A>. You are receiving this because you authored the thread.Message ID: ***@***.***>