Log4j security issue

Payara products don’t use the Log4j library directly, but if your application is using it, we recommend that you upgrade to the latest version of Log4J especially when running on a vulnerable JDK version. See Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package | LunaSec

1 Like

But what I can see in logging.properties files which is located under (payara-5.2021.10\payara5\glassfish\domains\domain1\config) folder is pointing to log4j logger

(log4j.logger.org.hibernate.validator.util.Version=warn)

What I can see that payara internally uses log4j logger for the above hibernate validator util version, Could you please confirm is payara is not affected with log4j with the above property turned on.

It will be great if you provide some clarity on this.

The short answer is no, Payara is not affected with that property turned on.

" Log4j 2 is only a test dependency of Hibernate Validator (being a test dependency, Log4j 2 doesn’t come in your apps through Hibernate Validator so you don’t have to worry about this issue from the Hibernate Validator perspective)"

Their new releases fix the issue of Hibernate Validator being flagged as a false positive.

Hibernate Validator 6.2.1.Final and 7.0.2.Final released - In Relation To