Hi CMDBuild Team,

According to pom.xml, the latest version of CMDBuild uses the 1.2.17 version of log4j.

log4j was discovered to be vulnerable on December 10, 2021.

According to the comments of log4j contributor, log4j 1.x is also impacted.

Please upgrade log4j to 2.15.0 as soon as possible.

Hi, thanks for the report.
The log4j dependency is a “leftover” from previous CMDBuild versions, internally it is not used anymore, we proceeded to remove the dependency in the pom to remove the library.