Skip to content

Fix Log4Shell (CVE-2021-44228): upgrade Log4j to 2.17.1#53

Draft
pagarwal-dev with Copilot wants to merge 3 commits into
mainfrom
copilot/fix-log4j-remote-code-injection
Draft

Fix Log4Shell (CVE-2021-44228): upgrade Log4j to 2.17.1#53
pagarwal-dev with Copilot wants to merge 3 commits into
mainfrom
copilot/fix-log4j-remote-code-injection

Conversation

Copilot AI commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Log4j versions < 2.17.0 allow remote code execution via JNDI lookups embedded in attacker-controlled log input (Log4Shell). The app directly depended on log4j-core:2.14.1.

Changes

  • build.gradle.kts: bump log4j-core and log4j-api from 2.14.12.17.1, which disables JNDI by default
  • src/main/resources/log4j2.component.properties (new): explicitly sets log4j2.disableJndi=true as defense-in-depth to prevent JNDI re-enablement via external system property overrides

Copilot AI changed the title [WIP] Fix critical remote code injection vulnerability in Log4j Fix Log4Shell (CVE-2021-44228): upgrade Log4j to 2.17.1 Jul 2, 2026
Copilot AI requested a review from pagarwal-dev July 2, 2026 14:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Security] [CRITICAL] Remote code injection in Log4j

2 participants