Log4j vulnerability anf graphhopper

Is graphhopper vulnerable to the log4j vulnerability that has been highly publicized over the last couple of days? I’m not a Java programmer, but I do see log4j-xxx.jar files that seem to be part of graphhopper:

[root@host /]# find . -name "*log4j*" -print

./usr/local/graphhopper/tools/src/main/resources/log4j.xml
./usr/local/graphhopper/example/src/main/resources/log4j.xml
./usr/local/graphhopper/core/target/test-classes/log4j.xml
./usr/local/graphhopper/core/src/test/resources/log4j.xml
find: ‘./run/user/1000/gvfs’: Permission denied
./root/.m2/repository/log4j
./root/.m2/repository/log4j/log4j
./root/.m2/repository/log4j/log4j/1.2.12/log4j-1.2.12.pom
./root/.m2/repository/log4j/log4j/1.2.12/log4j-1.2.12.jar.sha1
./root/.m2/repository/log4j/log4j/1.2.12/log4j-1.2.12.pom.sha1
./root/.m2/repository/log4j/log4j/1.2.12/log4j-1.2.12.jar
./root/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
./root/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.pom
./root/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar.sha1
./root/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.pom.sha1
./root/.m2/repository/org/slf4j/log4j-over-slf4j
./root/.m2/repository/org/slf4j/log4j-over-slf4j/1.7.30/log4j-over-slf4j-1.7.30.pom
./root/.m2/repository/org/slf4j/log4j-over-slf4j/1.7.30/log4j-over-slf4j-1.7.30.jar
./root/.m2/repository/org/slf4j/log4j-over-slf4j/1.7.30/log4j-over-slf4j-1.7.30.jar.sha1
./root/.m2/repository/org/slf4j/log4j-over-slf4j/1.7.30/log4j-over-slf4j-1.7.30.pom.sha1
./root/.m2/repository/org/slf4j/slf4j-log4j12
./root/.m2/repository/org/slf4j/slf4j-log4j12/1.7.30/slf4j-log4j12-1.7.30.jar
./root/.m2/repository/org/slf4j/slf4j-log4j12/1.7.30/slf4j-log4j12-1.7.30.pom.sha1
./root/.m2/repository/org/slf4j/slf4j-log4j12/1.7.30/slf4j-log4j12-1.7.30.jar.sha1
./root/.m2/repository/org/slf4j/slf4j-log4j12/1.7.30/slf4j-log4j12-1.7.30.pom
[root@host /]#

1 Like

No, because:

  1. GraphHopper only ever used log4j 1, not 2
  2. GraphHopper (4.x, but also since a few years) only uses log4j in tests, not production code (this is what the log4j.xml files are for)
  3. We just removed log4j entirely just recently (current master)

GraphHopper uses logback for all its logging.

3 Likes

Thank you for explaining this, easbar!

Powered by Discourse