Upgrade of Log4j?

[cyrilfr]

Due to the critical Log4j Security Vulnerability, is there any plan to upgrade Log4j or replace it with another logging framework?

[uwemaurer]

I plan to upgrade to the latest version of log4j 2.

Please note that currently the ebics library uses the very outdated log4j 1.x library, therefore it does not have the vulnerable code, which was only added later in log4j 2.

Also there is currently no risk since this ebics library does not log any strings which contain user input.
Only messages like this:

    configuration.getLogger().info(messages.getString("user.create.info", userId)); 

where the strings come from the own configuration files.

Nevertheless the logging library should be upgraded to the latest version.

[cyrilfr]

OK thank you for your feedback :)