My project has a transitive dependency on log4j v1.2.16 through org.mobicents.servlet.sip package used in my project as a direct dependency.
But org.mobicents.servlet.sip is no longer actively developed.
Are there any options to fix this vulnerability other than waiting for org.mobicents.servlet.sip to fix the issue.
CodePudding user response:
If you are using Maven as a build tool then one way you can do is:
- exclude the trasitive dependency and
- make it a direct dependency specifying the latest version.
<dependencies>
<dependency>
<groupId>org.mobicents.servlet.sip</groupId>
<artifactId>sip-servlets-spec</artifactId>
<version>4.0.128</version>
<exclusions>
<exclusion>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.17.1</version>
</dependency>
</dependencies>You can also refer to maven docs for a detailed explanation.
CodePudding user response:
You may want to use the log4j-1.2-api bridge. To do this
- exclude dependency towards log4j 1.x (mind the different groupid, which has changed between 1.x and 2.x)
<dependencies>
<dependency>
<groupId>org.mobicents.servlet.sip</groupId>
<artifactId>sip-servlets-spec</artifactId>
<exclusions>
<exclusion>
<groupId>log4j</groupId><artifactId>log4j</artifactId>
</exclusion>
</exclusions>
</dependency>
- add dependency towards log4j 2.17.1, with the bridge
<dependency><groupId>org.apache.logging.log4j</groupId><artifactId>log4j-api</artifactId><version>2.17.1</version></dependency>
<dependency><groupId>org.apache.logging.log4j</groupId><artifactId>log4j-1.2-api</artifactId><version>2.17.1</version></dependency>
<dependency><groupId>org.apache.logging.log4j</groupId><artifactId>log4j-core</artifactId><version>2.17.1</version></dependency>