[ https://issues.jboss.org/browse/WFCORE-482?page=com.atlassian.jira.plugin... ] Andrew Marlow commented on WFCORE-482: -------------------------------------- In my previous comment I got it slightly wrong regarding my mention of CVEs. There is only one CVE and it is not even filed against log4j-v1. There is CVE-2017-5645 which is logged against log4j2. It is to do with the code that listens on the logger event port and deserialises without doing some sanity checking. Diffing between 2.8.1 and 2.8.2 I see how checking has now been added. The code is slightly different in v1 but it does still perform an unchecked deserialisation of a LoggerEvent object, so it does look vulnerable to me. There may be a new CVE raised for this at some point, even though log4j-v1 is end of life. I hope a new CVE is raised. The lack of a current CVE for log4j-v1 is causing some people to say that when they are alerted to CVE-2017-5645 it is a false flag. See https://github.com/jeremylong/DependencyCheck/issues/1138 for an example of this. I think that Red Hat has performed the same code analysis that I did and come to the same conclusion, which is why they patched JBoss (the proprietary version of Wildfly). So it might not be viewed as a false flag forever. I've chased down the log4j-v1 dependency. It comes from jbossws-cxf-client. So I reckon that would have to be changed to use log4j2 before wildfly could be changed. I think a new ticket needs to be raised for jbossws-cxf-client. -- This message was sent by Atlassian Jira (v7.13.8#713008)