Page 1 of 1


Posted: Thu Dec 23, 2021 4:40 pm
by SubJunk
Hey everyone, I just wanted to assure you that UMS is not affected by the infamous Log4j exploit, AKA Log4Shell.

We do not use Log4j directly, and have used two scanners to ensure our dependencies don't include a vulnerable version too.

For scanning, we used both the Docker scanner which is powered by Snyk, as well as the open source tool Grype.

This exploit has been huge for some projects and businesses, so we have really dodged a bullet here. Our hearts go out to those affected by the exploit.

Re: Log4Shell

Posted: Thu Dec 23, 2021 5:04 pm
by mik_s
That is a relief. I had only heard of exploit recently but did not know much or how prevalent it was, only that it had effected some minecraft servers or something.

Earlier today Computerphile put out a video explaining what this exploit is, how bad it has become and how it effects nearly every service on the internet. I know a lot of IT guys have had a very busy week making sure it is patched.

I have been following updates on Github for a while and I never seen any dependency updates mentioning Log4j so was fairly sure UMS did not use it but was not certain.