JabRef is using log4j

eutektoid · December 14, 2021, 1:57pm

Hi, as I quickly scanned the source code of JabRef on GitHub for log4j, I found some mentions in it.
I would like to know, if the usage of the log4j library within JabRef makes JabRef vulnerable for any attacks. If so, what should I do? Unistall it till an update is out without log4j?
Cheers

Siedlerchr · December 14, 2021, 3:44pm

Hi,

JabRef uses log4j Snapshot 3.x and is not vulnerable and JabRef. Despite this, JabRef is a local application, not connected to a web server and does not log any input related to this.

Regards

eutektoid · December 14, 2021, 5:00pm

Hi Christoph,
thank you very much for the clarification.

Best regards

josephhamill · December 20, 2021, 3:47pm

Yes, Christopher, thanks for answering this question.

Siedlerchr · December 20, 2021, 3:52pm

We also took this as an opportunity to completely remove the log4j dependency. The next release (coming today or in the next days) will no longer include log4j.

eutektoid · December 20, 2021, 4:46pm

Thank you very much for all your effort and the transparency! It’s very nice of you to keep us in the loop.

Best regards

Topic		Replies	Views
JabRef 5.3 jar file Help	12	980	September 6, 2021
JabRef on Windows without Java? Help	2	2634	April 9, 2019
JabRef-build-snapshot killed my stable JabRef-3.8.1 Help	5	1070	April 1, 2017
Jabref 4.0 on Ubuntu 16.04 LTS Help	6	4584	June 21, 2018
JabRef 5.2 on Ubuntu 20.04 Help	3	459	June 2, 2021

JabRef is using log4j

Related Topics