Issue log4j is openfire affected?

Hi

I want to ask about the log4j issue, is openfire affected?

does it need to be upgraded to the latest openfire to prevent the log4j issue?

Fyi,

currently my server is using openfire version 4.5.2, while the client spark is version 2.9.4 and 2.8.3

Please help, need info

Thanks

I have added a new PR for the new version 2.17.1:

• https://github.com/igniterealtime/Openfire/pull/1970

I think a new update is needed to old versions too.

Log4j CVEs from 2021:

• CVE - CVE-2021-4104
• CVE - CVE-2021-44228
• CVE - CVE-2021-44832
• CVE - CVE-2021-45046
• CVE - CVE-2021-45105

Fix:

• 2.17.1 (Java 8)
• 2.12.4 (Java 7)
• 2.3.2 (Java 6)