[ https://issues.jboss.org/browse/WFCORE-482?page=com.atlassian.jira.plugin... ] Andrew Marlow commented on WFCORE-482: -------------------------------------- I have just downloaded wildfly-18.0.1 and was very suprised to find that it still depends on the ancient log4j version 1. That version of log4j reached end of life on 5th Aug 2015. It contains several CVEs including serious XXE vulnerabilities. Hence any product that uses wildfly will be exposed to these CVEs via transitive dependencies. I was alerted to this via two mechanisms; firstly the owasp dependency checker (via the maven plugin); and second, via Black Duck. This places wildfly off-limits in my corporate environment, where there are rules against shipping software that contains transitive CVEs via open source products. Please consider adding direct support for log4j2 as soon as possible. Thank you. -- This message was sent by Atlassian Jira (v7.13.8#713008)