Statement on Promregator and CVE 2021 44228 - promregator/promregator GitHub Wiki

On 2021-12-10, a major security alert with CVE-2021-44228 has been raised for Java application using Log4j2. Reason for this is a potential Remote Code Execution with full privileges that compromise any server running a vulnerable application.

For Promregator v0.10.* and all its lower versions, the following statement can be issued:

Promregator does not make use of log4j-core as logging facility. Instead, it uses logback-classic. Hence, Promregator is not known to be vulnerable to the attack.

Promregator delivers dependent jar files in its classpath, which start with the string log4j. However, these are only adapters and APIs for log4j and do not contain the problematic piece of code. For details also refer to https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot (the two dependencies of Promregator are introduced as indirect dependencies by spring-boot).

Therefore, Promregator is considered to be safe from attacks trying to exploit CVE-2021-44228.