Replies: 2 comments 1 reply
-
Java melody CORE is not affected by this cve. In general, it does not include log4j as the dependency is optional. |
Beta Was this translation helpful? Give feedback.
-
Most applications monitored by javamelody use either the dependency (jar file) javamelody-core or the dependency javamelody-spring-boot-starter. Both are not affected by the CVE, because they do not include log4J and they do not declare a compile or runtime dependency on log4j. Other applications use a plugin for Jenkins or for JIRA/Confluence/Bamboo/Bitbucket or for Liferay or for Alfresco or for Sonar or for Grails. Those plugins are not affected for the same reason. The optional javamelody collect server is sometimes used, even if much less than javamelody-core or javamelody-spring-boot-starter or the javamelody plugins. When used, it is in a different server (that is not in the monitored applications). |
Beta Was this translation helpful? Give feedback.
-
Hello,
Do you know if JavaMelody is affected by CVE-2021-44228?
I've been looking up but I found nothing.
Thank you very much
Beta Was this translation helpful? Give feedback.
All reactions