UIMA PEAR projects that have been generated with the de.averbis.textanalysis:pear-archetype
version 2.0.0
have a maven dependency with scope test
to log4j 2.8.2
and might be affected by CVE-2021-44228.
The issue has been resolved in de.averbis.textanalysis:pear-archetype
version 2.0.1
. Please make sure to use de.averbis.textanalysis:pear-archetype
version >= 2.0.1
for generating new PEAR projects.
Existing maven PEAR projects can be patched by manually upgrading to log4j
>= 2.16.0
in pom.xml
.
https://www.lunasec.io/docs/blog/log4j-zero-day/
If you have any questions or comments about this advisory:
CPE | Name | Operator | Version |
---|---|---|---|
de.averbis.textanalysis:pear-archetype | eq | 2.0.0 |