How would I remediate log4j that keep coming up on the security scan CVE-2025-68161. The suggested solution is Upgrade to Apache Log4j version 2.25.3 or later.
OS: UNIX
Java Version: Java 17
Tomcat Version: 11
Lucee Version: 6.2.2.91
What’s the first rule of CVE club?
Read the CVE!
Here’s a good breakdown
Lucee unless manually configured does not use the Socket Appender, as such Lucee is not vulnerable to this CVE
Even if you did, it requires your (hopefully) internal network to be compromised, which is a far larger problem than this CVE
We will in due course update the library
1 Like
can I update the core files to use 2.25.3