Is graphhopper vulnerable to the log4j vulnerability that has been highly publicized over the last couple of days? I’m not a Java programmer, but I do see log4j-xxx.jar files that seem to be part of graphhopper:
[root@host /]# find . -name "*log4j*" -print
./usr/local/graphhopper/tools/src/main/resources/log4j.xml
./usr/local/graphhopper/example/src/main/resources/log4j.xml
./usr/local/graphhopper/core/target/test-classes/log4j.xml
./usr/local/graphhopper/core/src/test/resources/log4j.xml
find: ‘./run/user/1000/gvfs’: Permission denied
./root/.m2/repository/log4j
./root/.m2/repository/log4j/log4j
./root/.m2/repository/log4j/log4j/1.2.12/log4j-1.2.12.pom
./root/.m2/repository/log4j/log4j/1.2.12/log4j-1.2.12.jar.sha1
./root/.m2/repository/log4j/log4j/1.2.12/log4j-1.2.12.pom.sha1
./root/.m2/repository/log4j/log4j/1.2.12/log4j-1.2.12.jar
./root/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
./root/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.pom
./root/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar.sha1
./root/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.pom.sha1
./root/.m2/repository/org/slf4j/log4j-over-slf4j
./root/.m2/repository/org/slf4j/log4j-over-slf4j/1.7.30/log4j-over-slf4j-1.7.30.pom
./root/.m2/repository/org/slf4j/log4j-over-slf4j/1.7.30/log4j-over-slf4j-1.7.30.jar
./root/.m2/repository/org/slf4j/log4j-over-slf4j/1.7.30/log4j-over-slf4j-1.7.30.jar.sha1
./root/.m2/repository/org/slf4j/log4j-over-slf4j/1.7.30/log4j-over-slf4j-1.7.30.pom.sha1
./root/.m2/repository/org/slf4j/slf4j-log4j12
./root/.m2/repository/org/slf4j/slf4j-log4j12/1.7.30/slf4j-log4j12-1.7.30.jar
./root/.m2/repository/org/slf4j/slf4j-log4j12/1.7.30/slf4j-log4j12-1.7.30.pom.sha1
./root/.m2/repository/org/slf4j/slf4j-log4j12/1.7.30/slf4j-log4j12-1.7.30.jar.sha1
./root/.m2/repository/org/slf4j/slf4j-log4j12/1.7.30/slf4j-log4j12-1.7.30.pom
[root@host /]#