As previously explained in the Lightbend blog post, Lagom doesn't use log4j 2 directly, but it can be included as an opt-in.
With this release, the log4j version that can be included in a Lagom application is upgraded to version 2.15.0, the version that addresses the CVE-2021-44228 vulnerability.
Moreover, we discover that the Kafka broker library used in dev-mode was including an old version of log4j (v1.2.17) and that for no reason. This was never a real concern because this library is never deployed on a running Lagom application, but to avoid confusion and false alarms this obsolete dependency has been removed.
What's Changed
- [1.6.x] Upgrade to log4j 2.15 to address CVE-2021-44228 by @octonato in #3325
- Hint that upgrading to Akka HTTP 10.2 is fine (backport #3319) by @mergify in #3326
- remove explicit dependency on log4j in kafka brokers by @octonato in #3327
Full Changelog: 1.6.6...1.6.7