Replies: 1 comment 1 reply
-
|
@trask For people who don't necessarily know that the exploit is impossible when you don't log to log4j should we perhaps also state directly in the announcement text that our libraries are not vulnerable to the exploit to make it absolutely clear? |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
Sure, updated |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
None of the OpenTelemetry Java Instrumentation artifacts are vulnerable to CVE-2021-44228.
For more details see below.
OpenTelemetry Javaagent
None of the javaagent distributions log to log4j2, or pull in log4j2.
OpenTelemetry Library Instrumentation
None of the library instrumentation artifacts log to log4j2, or pull in log4j2 transitively.
There is a log4j2 library instrumentation (for instrumenting log4j2 itself), but this does not pull in log4j2 transitively, instead requiring users to bring their own log4j2 library/version (see the published pom).
Beta Was this translation helpful? Give feedback.
All reactions