Flowable-ui:6.7.2 log4j vulnerability

As I understand it, the 6.7.2 flowable versions should have patched the log4j vulnerabilities, in short by moving to Logback.

To confirm I used “Trivy” to scan the latest flowable/flowable-ui:6.7.2 image but it is still reporting CVE-2021-44832 is not patched (i.e. log4j is not at v2.17.1+).

Is this a known issue and are there any plans to patch this in the near future?

...$ trivy image flowable/flowable-ui:6.7.2 | grep log4j
| org.apache.logging.log4j:log4j-api | CVE-2021-44832   | MEDIUM   | 2.17.0            | 2.17.1, 2.12.4, 2.3.2 | log4j-core: remote code               |

Hey @Zakave,

If you read the description of CVE-2021-44832 it says:

Flowable is not vulnerable to this issue because it is not using a JDBC Appender.

Apart from the fact that Flowable is not vulnerable to this, the CVE occurs when using JNDI LDAP data source and the attacker has a control over the LDAP Server for the configured LDAP data source. If an attacker has a control of your own LDAP server (because you are the one that configures with which LDAP server the appender will talk to) you have way bigger problems.

Cheers,
Filip

Perfect, thanks filiphr.