Gremlin server and console include log4j 1.2, which end-of-life'd > 5 years ago.
Security scanning software (twistlock), flags log4j 1.2 as a critical security violation, and hence prohibits deployment.
Attack complexity: low,Attack vector: network,Critical severity,Remote execution
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
Is there a plan to remove log4j 1.2 so that installation of either gremlin server or console do not include the jars that trigger this security issue?