Updated version of gradle that requires log4j 2.17

Currently gradle 7.3.2 automatically checks for min version of log4j to 2.16.0 or higher, is there a version that will bump up this minimum version to 2.17.0 or higher?

Ref: Dealing with the critical Log4j vulnerability (gradle.org)

and Log4j – Download Apache Log4j 2

I cannot speak for the Gradle guys, but we will not update to 2.17.0 in a rush, as there is not much risk in 2.16.0. Only if a logging pattern with ctx lookup is used with a value in MDC that is controlled by an attacker. And even then the worst he could cause is a stack overflow that crashes the current running JVM, that is the Gradle Build daemon.

1 Like

Aaand 7.3.3 has landed which updates those checks. :slight_smile:

1 Like