Query | CVE-2021-44228 impact

[mksingh510]

Hi,

This is regarding the vulnerability identification in Apache Log4j -
https://nvd.nist.gov/vuln/detail/CVE-2021-44228

In our Product we use Owasp.CsrfGuard.js and Owasp.CsrfGuard.jar :so could you please confirm these libraries have any issue/risk? If it is impacted by CVE-2021-44228 then kindly suggest the remediation immediately.

[aramrami]

Hello,
CSFGuard doesn't use Log4j. So we are not impacted by this CVE.

You can check the dependencies of the project using mvn dependency:tree -Dscope=compile.

org.owasp:csrfguard:jar:4.1.2-SNAPSHOT

+- javax.servlet:servlet-api:jar:2.5:provided
+- org.apache.commons:commons-lang3:jar:3.12.0:compile
+- commons-io:commons-io:jar:2.8.0:compile
+- com.google.code.gson:gson:jar:2.8.6:compile
+- org.slf4j:slf4j-api:jar:1.7.31:compile
org.owasp:csrfguard-extension-session:jar:4.1.2-SNAPSHOT

+- org.owasp:csrfguard:jar:4.1.2-SNAPSHOT:compile
| +- org.apache.commons:commons-lang3:jar:3.12.0:compile
| +- commons-io:commons-io:jar:2.8.0:compile
| +- com.google.code.gson:gson:jar:2.8.6:compile
| - org.slf4j:slf4j-api:jar:1.7.31:compile
- javax.servlet:servlet-api:jar:2.5:provided
org.owasp:csrfguard-jsp-tags:jar:4.1.2-SNAPSHOT

+- org.owasp:csrfguard:jar:4.1.2-SNAPSHOT:compile
| +- org.apache.commons:commons-lang3:jar:3.12.0:compile
| +- commons-io:commons-io:jar:2.8.0:compile
| +- com.google.code.gson:gson:jar:2.8.6:compile
| - org.slf4j:slf4j-api:jar:1.7.31:compile
+- javax.servlet:servlet-api:jar:2.5:provided
+- javax.servlet.jsp:jsp-api:jar:2.1:provided
- javax.servlet:jstl:jar:1.2:provided
For logging we use the SLF4J API, WITHOUT including any implementations. Even in the test project, we use LogBack

[mksingh510]

Thanks for the prompt response. Appreciated..!!