Flowable-ui:6.7.2 log4j vulnerability

As I understand it, the 6.7.2 flowable versions should have patched the log4j vulnerabilities, in short by moving to Logback.

To confirm I used “Trivy” to scan the latest flowable/flowable-ui:6.7.2 image but it is still reporting CVE-2021-44832 is not patched (i.e. log4j is not at v2.17.1+).

Is this a known issue and are there any plans to patch this in the near future?

...$ trivy image flowable/flowable-ui:6.7.2 | grep log4j
| org.apache.logging.log4j:log4j-api | CVE-2021-44832   | MEDIUM   | 2.17.0            | 2.17.1, 2.12.4, 2.3.2 | log4j-core: remote code               |

Hey @Zakave,

If you read the description of CVE-2021-44832 it says:

Flowable is not vulnerable to this issue because it is not using a JDBC Appender.

Apart from the fact that Flowable is not vulnerable to this, the CVE occurs when using JNDI LDAP data source and the attacker has a control over the LDAP Server for the configured LDAP data source. If an attacker has a control of your own LDAP server (because you are the one that configures with which LDAP server the appender will talk to) you have way bigger problems.


Perfect, thanks filiphr.