Hi!
Even though I’m an end-user on a desktop and am not exposed publicly to log4j exploitation, I wanted to assess my current mitigation against the vulnerability. I’ve already installed the log4j update from bodhi, but I know that many applications ship with their own, standalone version of log4j.
Therefore, I made a system-wide filesystem scan to list all files related to log4j. In that list, I also saw the following files:
/usr/share/java/ant/ant-apache-log4j.jar
/usr/share/maven-poms/ant/ant-apache-log4j.pom
According to the timestamps, these files were not updated with the log4j patch. A $dnf provides lookup showed that these files belong to the package ant-apache-log4j-1.10.9-2.fc34.noarch.
So, my question is, if that package also requires an update? I don’t think it does, but I wanted to assure that I’m not wrong on this.
Thank you!
Stay safe and up to date. And a big heart to all administrators and security professionals who have to deal with this just before Christmas. They generally don’t get enough gratitude for their work.
(edit: grammar)