Skip to content

Remediate Log4Shell exposure by upgrading Log4j to 2.17.2#51

Draft
pagarwal-dev with Copilot wants to merge 2 commits into
mainfrom
copilot/security-patch-log4j-vulnerability
Draft

Remediate Log4Shell exposure by upgrading Log4j to 2.17.2#51
pagarwal-dev with Copilot wants to merge 2 commits into
mainfrom
copilot/security-patch-log4j-vulnerability

Conversation

Copilot AI commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

This repository was still pinning Log4j 2.14.1, which is vulnerable to CVE-2021-44228-class issues in the Log4j 2.x line. This change upgrades the logging stack to a patched version and aligns Log4j modules on one fixed release.

  • Dependency remediation

    • Introduced a single log4jVersion constant in build.gradle.kts.
    • Upgraded:
      • org.apache.logging.log4j:log4j-core2.17.2
      • org.apache.logging.log4j:log4j-api2.17.2
  • Version alignment

    • Removed per-artifact version drift risk by resolving both Log4j artifacts from one shared version declaration.
  • JNDI lookup surface check

    • No JNDI lookup usage (${jndi...}, JndiLookup, jndi:) is present in repository logging code/configuration.
dependencies {
    val log4jVersion = "2.17.2"

    implementation("org.apache.logging.log4j:log4j-core:$log4jVersion")
    implementation("org.apache.logging.log4j:log4j-api:$log4jVersion")
}

Copilot AI changed the title [WIP] Fix remote code injection vulnerability in Log4j Remediate Log4Shell exposure by upgrading Log4j to 2.17.2 Jun 30, 2026
Copilot AI requested a review from pagarwal-dev June 30, 2026 15:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Security] [CRITICAL] Remote code injection in Log4j

2 participants