Impact
UIMA PEAR projects that have been generated with the de.averbis.textanalysis:pear-archetype version 2.0.0 have a maven dependency with scope test to log4j 2.8.2 and might be affected by CVE-2021-44228.
Patches
-
The issue has been resolved in de.averbis.textanalysis:pear-archetype version 2.0.1. Please make sure to use de.averbis.textanalysis:pear-archetype version >= 2.0.1 for generating new PEAR projects.
-
Existing maven PEAR projects can be patched by manually upgrading to log4j >= 2.16.0 in pom.xml.
References
https://www.lunasec.io/docs/blog/log4j-zero-day/
For more information
If you have any questions or comments about this advisory:
Impact
UIMA PEAR projects that have been generated with the
de.averbis.textanalysis:pear-archetypeversion2.0.0have a maven dependency with scopetesttolog4j 2.8.2and might be affected by CVE-2021-44228.Patches
The issue has been resolved in
de.averbis.textanalysis:pear-archetypeversion2.0.1. Please make sure to usede.averbis.textanalysis:pear-archetypeversion >=2.0.1for generating new PEAR projects.Existing maven PEAR projects can be patched by manually upgrading to
log4j>=2.16.0inpom.xml.References
https://www.lunasec.io/docs/blog/log4j-zero-day/
For more information
If you have any questions or comments about this advisory: