Is there a log4j vulnerability in utPLSQL-cli?

[drumbeg]

The lib supplied with the latest release slf4j-api 1.7.26.jar allows a possibility of a log4j attack.

https://www.slf4j.org/log4shell.html

How is this being addressed?

[pesse]

Thanks for bringing this up.
Will provide an update as soon as possible.
However, in order to exploit Log4shell here, you'd need access to the database the cli is run against and create a test with a malicious name.
Possible, but very unlikely.

[drumbeg]

Any update on the log4j issue?

[jgebal]

How would you see the log4j issue to be exploited in this software?
We will definitely update the log4j library or remove it at some point when working on new features/bugfixes for cli.
I'm not sure however if there is real value in fixing it by itself.

Does it block you in any way at the moment?