How to fix log4j vulnerability in Hibernate Validator maven package
I was wondering how to fix the vulnerability of log4j security issue called Log4Shell? On this link the author says that Hibernate Validator doesn't use log4j but jboss logging, however, when I look into the dependencies, it says that jboss logging uses log4j as a dependency.
In mvnrepository jboss logging shows the vulnerability.
I am using the latest version of maven Hibernate Validator: 7.0.2.Final and this is getting jboss logging version 3.4.2.Final which is using log4j 2.14.
Solution 1:
Those are all false positive CVE's. JBoss Logging is simply a logging facade that binds to loggers. It does nothing with the log manager so as long as the log manager you're using is safe, then you're safe.
Hibernate is NOT vulnerable to the CVE. JBoss Logging is not vulnerable to any of those CVE's either. JBoss Logging ONLY has a dependency on the log4j-api
which is not vulnerable.