Log4j has a serious vulnerability. use kotlin-logging:1.12.5

[edgelv34]

Log4j has a serious vulnerability.

Currently, the kotlin version I can use is 1.4.32.

Therefore, use KLogger by adding "io.github" microutils:kotlin-logging:1.12.5' to the dependency.

Verified that the version that resolves the serious vulnerability in Log4j is kotlin-logging 2.1.16 and is available only in kotlin 1.6.0 and higher.

Is there any way to deal with the vulnerability of Log4j in the previous version?

[github-actions]

Thank you for reporting an issue. See the wiki for documentation and slack for questions.

[severn-everett]

I was under the impression that 2.1.16 is still usable by Kotlin 1.4, given the declaration of the 1.4 API version in the Gradle file:

kotlin {
    explicitApi()
    jvm {
        compilations.all {
            // kotlin compiler compatibility options
            kotlinOptions {
                apiVersion = "1.4"
                languageVersion = "1.4"
                jvmTarget = "1.8"
            }
        }
    }

@oshai Is this correct?

[oshai]

I was under the impression that 2.1.16 is still usable by Kotlin 1.4, given the declaration of the 1.4 API version in the Gradle file:

kotlin {
    explicitApi()
    jvm {
        compilations.all {
            // kotlin compiler compatibility options
            kotlinOptions {
                apiVersion = "1.4"
                languageVersion = "1.4"
                jvmTarget = "1.8"
            }
        }
    }

@oshai Is this correct?

to the best of my knowledge, yes.

[oshai]

To add more context 1.x is deprecates see #180.
In addition, as far as we know kotlin-logging is not vulnerable to the cve by itself (as long as you use fixed log4j version).
See more details: #206 (comment)

[edgelv34]

thx guys.
i found out as you say that kotlin-logging was used only for jvmtest purposes.