In my SpringBoot application, I have several log4j libraries which I'm assuming could be called independently (outside the app) by some malicious program.
As one example, commons logging appears to use an old log4j. Yet, checking
Maven, I don't see any update.
There is also a log4j2, version 2.1.14 in the project jar files, but it's unclear what dependency, is using it.
What a mess!
Suggestions on how to track down vulnerable libraries in jar files within a war file and how to know if they're a problem or not?
Thanks!
- mike