Jars impacted by Apache Log4j Tool : Zero Day in Ubiquitous Under Active Attack (CVE-2021-44228)?

sanjay-2021 · December 14, 2021, 2:49pm

Hi Team,

We are using following jar provided by you.
1- scala-library-2.10.0 2.10.0
2- scala-compiler-2.10.0 2.10.0
3- scalap-2.10.0 2.10.0
4- scala-reflect-2.10.0 2.10.0

We want to ensure and know if it is impacted by “Apache Log4j Tool : Zero Day in Ubiquitous Under Active Attack (CVE-2021-44228)”. If it’s impacted please let us know about the security recommendation. To know we are looking for following answer

Are you using log4J?
If you are using log4j 1.x version, are you using JMSAppender class
if you are using log4j 2.x are , what is your security recommendation to fix the issue

SethTisue · December 15, 2021, 12:15am

These JARs do not use log4j (or logback, for that matter) and are not impacted.

You asked about Scala 2.10 specifically, but the same is also true of Scala 2.11, 2.12, 2.13, 3.0, and 3.1.

SethTisue · December 16, 2021, 9:33pm

For information about log4j in the broader Scala library ecosystem, see this new blog post from the Scala Center: