Do we need to worry?
I can confirm that neither Axon Framework, nor Axon Server is affected by this issue.
Axon Framework doesn’t include any dependency on logging framework. It uses slf4j as logging API. It is up to the user to decide which logging implementation to run underneath.
Axon Server uses logback It includes an log4j to slf4j bridge to allow libraries that do have a direct dependency on the log4j API to use the same logging configuration as the other libraries.
The Axon Server Connector for Java did get flagged by our security scans, but that appeared to only be a test scope dependency. Although we don’t see any security risks there, we did update the dependency in the active branches.
So as far as Axon is concerned, there is nothing to worry about. However, do check your own Axon based applications to be sure. You can run:
mvn dependency:tree | grep log4j to identify whether you include any log4j libraries in your own applications (directly or transitively).
Kudos to all the devs fighting fires this weekend.
Thank you for responding so quickly! Although I think a lot of us are working this weekend indeed…