Is Ninja-Framework safe regarding "Critical New 0-day Vulnerability in Popular Log4j Library"? about ninja HOT 4 CLOSED

• The log4j-vulnerability belongs to "log4j Versions Affected: all versions from 2.0-beta9 to 2.14.1" which is described here: https://logging.apache.org/log4j/2.x/security.html

There is also written, that the mitigation would be:

• In releases >=2.10, ...
• For releases from 2.0-beta9 to 2.10.0, remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class

--> Which gave me indirectly the information, that the "vulnerability" is placed in the "org/apache/logging/log4j/core/lookup/JndiLookup.class".

Ok, this is what I have done right now to check, if my app uses "log4j" (or at least if it has included this class):

• I build a "fat jar" of my app via "maven package"
• I extracted all files from within that jar into an folder in my filesystem
• I searched in that folder for "log4j"

... I did not find the path "org/apache/logging/log4j" and also no class named "JndiLookup.class" in that path.

Which, indirectly should mean, that my ninja-app is not affected to this specific "security vulnerability"?

Thanks for help and best regards

from ninja.

@raphaelbauer as the main contributor of ninjaframework, any thoughts about that issue?

thanks and best regards

from ninja.

We use Ninja extensively in our public-facing and internal apps and based on our review, we have NO log4j exposure.

However, Ninja is simply a framework and someone could go out of their way to force log4j use thru switching out of Ninja's default logback logger. So, its best to check yourself as well. However, if you're using Ninja out of the box, you should be all set.

from ninja.

Good to hear that and thanks for your answer!

cheers

from ninja.