Currently gradle 7.3.2 automatically checks for min version of log4j to 2.16.0 or higher, is there a version that will bump up this minimum version to 2.17.0 or higher?
Ref: Dealing with the critical Log4j vulnerability (gradle.org)
I cannot speak for the Gradle guys, but we will not update to 2.17.0 in a rush, as there is not much risk in 2.16.0. Only if a logging pattern with ctx lookup is used with a value in MDC that is controlled by an attacker. And even then the worst he could cause is a stack overflow that crashes the current running JVM, that is the Gradle Build daemon.
1 Like
Aaand 7.3.3 has landed which updates those checks. 
1 Like