Skip to content

Exclude jdbc package from log4j#2761

Open
jaschdoc wants to merge 1 commit intomainfrom
fix-log4j
Open

Exclude jdbc package from log4j#2761
jaschdoc wants to merge 1 commit intomainfrom
fix-log4j

Conversation

@jaschdoc
Copy link
Collaborator

@jaschdoc jaschdoc commented Jan 30, 2026
edited
Loading

CVE-2022-23305 is caused by misconfiguration of JDBCAppender which is now removed.

I have checked that the added validation logic fails if log4j is not filtered.

Fixes #2651

@jaschdoc jaschdoc marked this pull request as ready for review January 30, 2026 14:45
@jaschdoc jaschdoc marked this pull request as draft February 2, 2026 09:27
@jaschdoc
Copy link
Collaborator Author

jaschdoc commented Feb 2, 2026
edited
Loading

Marking as draft for now. I will extend the build files to validate that the jdbc package is gone from the built jars.

@jaschdoc jaschdoc force-pushed the fix-log4j branch 4 times, most recently from d21aa45 to 1f31170 Compare February 2, 2026 10:30
@jaschdoc
Exclude jdbc module from log4j
f5d9c8a 
CVE-2022-23305 is caused by misconfiguration of `JDBCAppender` which is now removed.
@jaschdoc jaschdoc marked this pull request as ready for review February 2, 2026 12:00
@jaschdoc jaschdoc requested a review from ting-yuan February 2, 2026 12:00
ting-yuan
ting-yuan reviewed Feb 3, 2026
View reviewed changes
Copy link
Collaborator

@ting-yuan ting-yuan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My I know why not simply bumping log4j version, or switching to jetbrains' fork if still used, or completely removing it if not used?

Excluding the contents from the uber jar seems a bit tricky.

@jaschdoc
Copy link
Collaborator Author

jaschdoc commented Feb 4, 2026

My I know why not simply bumping log4j version, or switching to jetbrains' fork if still used, or completely removing it if not used?

Excluding the contents from the uber jar seems a bit tricky.

I attempted to remove it entirely, but Kotlin still requires it (and still depends on version 1.2.17.2 that we also have). We could probably update to version 1.2.17.3 since tests are green but it seems like a bad idea to introduce such a mismatch between KSP and Kotlin. For now this seems like the best local fix that we can apply.

@jaschdoc jaschdoc requested a review from ting-yuan February 4, 2026 13:52
@ting-yuan
Copy link
Collaborator

ting-yuan commented Feb 4, 2026

I see. But isn't the Kotlin compiler also suffering from the same vulnerability? How do they handle it?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ting-yuan ting-yuan Awaiting requested review from ting-yuan

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

symbol-processing-aa-embeddable is now packing CVE-2022-23305 vulnerability (log4j files)

2 participants

@jaschdoc @ting-yuan