How to fix log4j vulnerability in Hibernate Validator maven package

java hibernate maven log4j jboss

I was wondering how to fix the vulnerability of log4j security issue called Log4Shell? On this link the author says that Hibernate Validator doesn't use log4j but jboss logging, however, when I look into the dependencies, it says that jboss logging uses log4j as a dependency.

In mvnrepository jboss logging shows the vulnerability.

I am using the latest version of maven Hibernate Validator: 7.0.2.Final and this is getting jboss logging version 3.4.2.Final which is using log4j 2.14.


Solution 1:

Those are all false positive CVE's. JBoss Logging is simply a logging facade that binds to loggers. It does nothing with the log manager so as long as the log manager you're using is safe, then you're safe.

Hibernate is NOT vulnerable to the CVE. JBoss Logging is not vulnerable to any of those CVE's either. JBoss Logging ONLY has a dependency on the log4j-api which is not vulnerable.

Related

How to detect phone number on multiline using Regex?
Multiple Independent IntegrationFlow
How can I use bootstrap 5 Javascript in my Next JS app?
How do I register my custom Environment Post Processor in Spring Boot 2.0?
"'this' is not available" in debug windows of Android Studio
How to scrape a Reactjs page? [duplicate]
How can I show the "Dimension" column in Finder?
Why does "Copy" replace stuff instead of merging it?
What's the canonical name for the "sunburst" waiting animation?
Easy way to install additional spell-check dictionaries for OS X?
Add apps to "Files and Folders" permissions?
Restore Access to File System for Emacs on MacOS Catalina