As I understand it, the 6.7.2 flowable versions should have patched the log4j vulnerabilities, in short by moving to Logback.
To confirm I used “Trivy” to scan the latest flowable/flowable-ui:6.7.2 image but it is still reporting CVE-2021-44832 is not patched (i.e. log4j is not at v2.17.1+).
Is this a known issue and are there any plans to patch this in the near future?
...$ trivy image flowable/flowable-ui:6.7.2 | grep log4j
| org.apache.logging.log4j:log4j-api | CVE-2021-44832 | MEDIUM | 2.17.0 | 2.17.1, 2.12.4, 2.3.2 | log4j-core: remote code |