Statement on Promregator and CVE 2021 44228 - promregator/promregator GitHub Wiki
On 2021-12-10, a major security alert with CVE-2021-44228 has been raised for Java application using Log4j2. Reason for this is a potential Remote Code Execution with full privileges that compromise any server running a vulnerable application.
For Promregator v0.10.* and all its lower versions, the following statement can be issued:
Promregator does not make use of log4j-core as logging facility. Instead, it uses logback-classic. Hence, Promregator is not known to be vulnerable to the attack.
Promregator delivers dependent jar files in its classpath, which start with the string
log4j
. However, these are only adapters and APIs for log4j and do not contain the problematic piece of code. For details also refer to https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot (the two dependencies of Promregator are introduced as indirect dependencies by spring-boot).
Therefore, Promregator is considered to be safe from attacks trying to exploit CVE-2021-44228.