Dear all,
A new Lagom version has been release (v1.6.7).
As previously explained in the Lightbend blog post, Lagom doesn’t use log4j 2 directly, but it can be included as an opt-in.
With this release, the log4j version that can be included in a Lagom application is upgraded to version 2.15.0, the version that addresses the CVE-2021-44228 vulnerability.
Moreover, we discover that the Kafka broker library used in dev-mode was including an old version of log4j (v1.2.17) and that for no reason. This was never a real concern because this library is never deployed on a running Lagom application, but to avoid confusion and false alarms this obsolete dependency has been removed.
More details can be found on GitHub