DMCC API and log4j 1.2

**jtb1** · 12-13-2024, 10:10 AM

It would be helpful to know which class (es) are beign flagged - if the scanner is providing that level of detail - or at a minimum what scanning software is being used. My understanding is Avaya does scan for this class of issue so its presence is 1) surprising and 2) needs addressed in some way.

**amulm** · 12-13-2024, 10:40 AM

thank you for that very quick reply.

If I remove the latest version of log4j (1.2.17) from my dependencies I'll get a java.lang.NoClassDefFoundError exception. Log4j 1.2 has beed deprecated for some time and replaced with log4j-core, adding this dependency does not make a difference. The one example of a class that is appears to be using log4j1 is com.avaya.mvap.svcproxy.prov.

**jtb1** · 12-13-2024, 11:25 AM

Any chance you can sub in the 10.1 version of DMCC API and see if the vulnerability scanner complains? I want to know if this was a goof in the build or a standing issue.
And just to be sure we are talking the DMCC Java SDK here 10.2.0 version, Right?

**flynn1** · 12-17-2024, 03:48 AM

According to the bug tracker, DMCC SDK moved to Log4j2 two years ago. Can you tell me what class is still using log4j1.2?

DMCC API and log4j 1.2

DMCC API and log4j 1.2

Comment

Comment

Comment

Comment