One needs to check *all* jars too. I notice that the c3p0
db connection pool package uses a lib (by the same author)
called mchange-commons that incorporates log4j:
On Thu, Dec 16, 2021
at 12:57 AM Kumar, Amit (Noida) via jetty-dev <jetty-dev@xxxxxxxxxxx>
wrote:
Hi
Team,
We
are using Below jar provided by you. We want
to ensure and know if it is impacted by
“Apache Log4j Tool : Zero Day in Ubiquitous
Under Active Attack (CVE-2021-44228)”. If it’s
impacted please let us know about the security
recommendation. To know we are looking for
following answer
Jars:
jetty-4.2.19
4.2.19
jetty-continuation-7.5.4.v20111024
7.5.4
jetty-http-7.5.4.v20111024
7.5.4
jetty-security-7.5.4.v20111024
7.5.4
jetty-util-7.5.4.v20111024
7.5.4
jetty-io-7.5.4.v20111024
7.5.4
jetty-server-7.5.4.v20111024
7.5.4
Are
you using log4J?
If
you are using log4j 1.x version, are you using
JMSAppender class
if
you are using log4j 2.x are , what is your
security recommendation to fix the issue