We are are wondering if there are any efforts under way for the mitigation of the Log4j CVE in the spatial plugin. Log4J is only used in a couple areas, but it is there. Is there a plan to remove it altogether or update to to the newer version of Log4J.
Looking at the pom.xml file I see we depend on log4j 1.2.17. This is not affected by the CVE, at least according to the information at Log4j – Apache Log4j Security Vulnerabilities.
Log4j 1.x is not impacted by this vulnerability.
When I look at where it is used, it seems to be the GeoServer integration, and we would depend on the version used by the version of GeoServer. So if we port to a newer GeoServer, then we should make sure that the version of Log4j they use is not affected. But right now it does not seem to be a concern for the current version of the spatial library.
Thanks so much for quick reply. Very glad to hear that it isn't a problem.