Update log4j to v2.17.1 (#1768)

Previously was at 2.17.0 but that was found to potentially allow remote code execution (RCE) using the JDBC Appender if the attacker is able to control the Log4j logging configuration file. The issue has been given a “Moderate” severity rating, lower than the vulnerability that started it all
broadinstitute · Jan 3, 2022 · 9379c36 · 9379c36
1 parent 71213e7
commit 9379c36
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/build.gradle b/build.gradle
@@ -92,8 +92,8 @@ dependencies {
     compile 'commons-lang:commons-lang:2.6'
     compile 'com.github.samtools:htsjdk:' + htsjdkVersion
     compile 'org.broadinstitute:barclay:4.0.2'
-    compile 'org.apache.logging.log4j:log4j-api:2.17.0'
-    compile 'org.apache.logging.log4j:log4j-core:2.17.0'
+    compile 'org.apache.logging.log4j:log4j-api:2.17.1'
+    compile 'org.apache.logging.log4j:log4j-core:2.17.1'
     compileOnly(googleNio) {
         transitive = false
     }