Mihnita: Created page with " See [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105 CVE-2021-45105], [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046 CVE-2021-45046], [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 CVE-2021-44228], and the [https://logging.apache.org/log4j/2.x/security.html Log4j Security page]. After the recent weave of remote code execution vulnerabilities related to Apache Log4j we checked all the Okapi code, and that of all Okapi-relat..."

2021-12-24T21:37:29Z

Created page with " See [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105 CVE-2021-45105], [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046 CVE-2021-45046], [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 CVE-2021-44228], and the [https://logging.apache.org/log4j/2.x/security.html Log4j Security page]. After the recent weave of remote code execution vulnerabilities related to Apache Log4j we checked all the Okapi code, and that of all Okapi-relat..."

New page

See
[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105 CVE-2021-45105],
[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046 CVE-2021-45046],
[https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 CVE-2021-44228],
and the [https://logging.apache.org/log4j/2.x/security.html Log4j Security page].

After the recent weave of remote code execution vulnerabilities related to Apache Log4j we checked
all the Okapi code, and that of all Okapi-related projects hosted under https://bitbucket.org/okapiframework/:

* [https://bitbucket.org/okapiframework/acorn/ acorn]
* [https://bitbucket.org/okapiframework/beagle/ beagle]
* [https://bitbucket.org/okapiframework/longhorn/ longhorn]
* [https://bitbucket.org/okapiframework/longhorn-js-client/ longhorn-js-client]
* [https://bitbucket.org/okapiframework/maven-repo/ maven-repo]
* [https://bitbucket.org/okapiframework/okapi/ okapi]
* [https://bitbucket.org/okapiframework/okapi-integration-tests/ okapi-integration-tests] (DEPRECATED!)
* [https://bitbucket.org/okapiframework/okapi-linguistic-tools/ okapi-linguistic-tools]
* [https://bitbucket.org/okapiframework/okapi-validation-tools/ okapi-validation-tools]
* [https://bitbucket.org/okapiframework/olifant/ olifant]
* [https://bitbucket.org/okapiframework/omegat-plugin/ omegat-plugin]
* [https://bitbucket.org/okapiframework/quest/ quest]
* [https://bitbucket.org/okapiframework/sandbox/ sandbox]
* [https://bitbucket.org/okapiframework/srx-repository/ srx-repository]
* [https://bitbucket.org/okapiframework/xliff-toolkit/ xliff-toolkit] (DEPRECATED!)

'''None of that code depends on <code>log4j</code>, directly or indirectly.''' 
'''So we are not affected.'''

'''But it does not mean you are safe and have nothing to do.''' 
'''If a product using Okapi binds <code>log4j</code> with SLF4J, then they are at risk, but it is not because of Okapi.''' 
'''They should apply the log4j updates as necessary, or switch to another logging framework.'''

The Okapi Framework uses [https://www.slf4j.org/ SLF4J] for logging.

That is an abstraction for various logging frameworks (e.g. <code>java.util.logging</code>, <code>logback</code>, <code>log4j</code>)
allowing developers (or even end users) to plug in the desired logging framework at deployment time.

Okapi itself does not require an update, as it does not come "out of the box" with any one logging framework.

Some of our projects use Okapi to build applications that bind to a logging framework:

* The Okapi binaries bind <code>slf4j</code> to <code>[https://logback.qos.ch/ logback]</code>.
* Acorn binds with <code>log4j12</code>, which is not affected by the recent disclosures (but <code>log4j12</code> is unmaintained, deprecated, and has its own share of problems)

About the Log4j2 vulnerabilities - Revision history