Vulnerability in Log4j used by VERDI

Hi,

Our IT department has identified some vulnerability issues in one of the libraries used by VERDI:

VERDI_1.5.0/plugins/core/lib/log4j-core-2.0-rc1.jar

This link reports the issue:
https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance

The log4j components need to be a version 2.15.0 or greater to address this issue. Version 2.15.0 was released on 12/6/2021, so it looks like VERDI 2.1 still have this issue.

Would it be possible to fix the issue and update VERDI?

Thanks,

Marc

Thank you. We are aware of this vulnerability and are planning to release a patched version of VERDI 2.1 with log4j 2.16 or greater.

VERDI has been updated to use lob4j 2.16 to eliminate the security vulnerability.
Please see the release announcement and remove older versions of VERDI and replace with VERDI v2.1.1

Thank you,
Liz

A second VERDI update has been made to use log4j 2.17.

REPLACE ALL PRIOR versions of VERDI with this patched release version VERDI 2.1.2