Hibernate projects are not affected by the vulnerabilities behind CVE-2021-45046 and CVE-2021-44228: none of the Hibernate projects has a runtime dependency on Log4j core.
We use JBoss Logging, which provides a minimal API bridging to your logger backend of choice and does not come with fancy features relying on JNDI lookups.
We do use Log4j during development of the Hibernate libraries as it’s a dependency of our testsuites; therefore we’ve still upgraded all branches.
These test dependencies won’t be included in your application if you depend on the Hibernate libraries.
The upgraded versions of each project are:
In the unlikely case that some project does depend on our testsuites, then you should upgrade.