Log4j vulnerability anf graphhopper

Is graphhopper vulnerable to the log4j vulnerability that has been highly publicized over the last couple of days? I’m not a Java programmer, but I do see log4j-xxx.jar files that seem to be part of graphhopper:

[root@host /]# find . -name "*log4j*" -print

./usr/local/graphhopper/tools/src/main/resources/log4j.xml
./usr/local/graphhopper/example/src/main/resources/log4j.xml
./usr/local/graphhopper/core/target/test-classes/log4j.xml
./usr/local/graphhopper/core/src/test/resources/log4j.xml
find: ‘./run/user/1000/gvfs’: Permission denied
./root/.m2/repository/log4j
./root/.m2/repository/log4j/log4j
./root/.m2/repository/log4j/log4j/1.2.12/log4j-1.2.12.pom
./root/.m2/repository/log4j/log4j/1.2.12/log4j-1.2.12.jar.sha1
./root/.m2/repository/log4j/log4j/1.2.12/log4j-1.2.12.pom.sha1
./root/.m2/repository/log4j/log4j/1.2.12/log4j-1.2.12.jar
./root/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar
./root/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.pom
./root/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar.sha1
./root/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.pom.sha1
./root/.m2/repository/org/slf4j/log4j-over-slf4j
./root/.m2/repository/org/slf4j/log4j-over-slf4j/1.7.30/log4j-over-slf4j-1.7.30.pom
./root/.m2/repository/org/slf4j/log4j-over-slf4j/1.7.30/log4j-over-slf4j-1.7.30.jar
./root/.m2/repository/org/slf4j/log4j-over-slf4j/1.7.30/log4j-over-slf4j-1.7.30.jar.sha1
./root/.m2/repository/org/slf4j/log4j-over-slf4j/1.7.30/log4j-over-slf4j-1.7.30.pom.sha1
./root/.m2/repository/org/slf4j/slf4j-log4j12
./root/.m2/repository/org/slf4j/slf4j-log4j12/1.7.30/slf4j-log4j12-1.7.30.jar
./root/.m2/repository/org/slf4j/slf4j-log4j12/1.7.30/slf4j-log4j12-1.7.30.pom.sha1
./root/.m2/repository/org/slf4j/slf4j-log4j12/1.7.30/slf4j-log4j12-1.7.30.jar.sha1
./root/.m2/repository/org/slf4j/slf4j-log4j12/1.7.30/slf4j-log4j12-1.7.30.pom
[root@host /]#

No, because:

1. GraphHopper only ever used log4j 1, not 2
2. GraphHopper (4.x, but also since a few years) only uses log4j in tests, not production code (this is what the log4j.xml files are for)
3. We just removed log4j entirely just recently (current master)

GraphHopper uses logback for all its logging.

Thank you for explaining this, easbar!

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.