Upgrade LOG4J?

Are there any plans to upgrade the version of LOG4J used from 1.2.16?

Do you mean, upgrade the LOG4J included in the Java reasoner with Owlready ?

I prefer to avoid upgrading them because each recompilation of the reasoners is tedious and has a risk of breaking compatibility (if it is compiled with a newer version of Java).

Jiba

Looks like it is included as part of Pellet. This version of LOG4J is super old and has many vulnerabilities associated to it.

Are there some serious vulnerabilities ? I mean, LOG4J is for logging purpose, so I would not expect it to be so dangerous... Is there really a risk, especially since the Java part cannot be directly accessed in Owlready.

Are recent version fully retrocompatible ? Pellet is actually super old too.

Yes, here are all the CVEs listed for that version:
CVE-2019-17571,CVE-2020-9488,CVE-2022-23302,CVE-2022-23305,CVE-2022-23307

These will get flagged on a scan. Additionally, be careful if you do upgrade to go to a later version to avoid the Log4Shell vulnerability.

Ok, I've upgrade to LOG4J 2.19.0 in the development version.

Jiba