Hi everyone,
I’ve tested the latest version of SoapUI (v5.9.1) and noticed that it is still using Log4j v2.17.1
Could you please confirm whether there are plans to upgrade the Log4j component to a newer version, and if so, whether an estimated timeline is available?
Thank you!
AdminHey oneagh
Just wanted to let you know we've released SoapUI 5.10.0 which addresses the Log4j issue.
I hope this helps you!
This is great. Thank you very much.
Thank you for the update :)
We ran into this exact same issue auditing SoapUI v5.9.1 last month for our company’s security check. Log4j 2.17.1 indeed hasn’t fixed this new CVE-2025-68161 flaw. As a temporary workaround before official patch rolls out, we manually swapped the log4j jar file inside SoapUI’s lib folder to latest patched 2.23.1 build. Have you tried jar replacement for your testing environment yet?
Hi htmllenmsy.
That's a good suggestion. I hadn't thought about replacing the JAR as a test workaround. I'll try it out next time.Thanks for sharing it
StaffHi Oneagh,
I raised this with the team and we will be addressing the in the next SoapUI release 5.10.0
Appreciate you raising this, we can't provide a timeline, but rest assured it will be included
Cheers,
Yousaf
Hi Yousaf!
What mitigation would you recommend for version 5.9.1 regarding this issue?
Hi!
I need an update regarding both a timeline for the update and mitigation actions for version 5.9.1. Please get back to me with this information.
StaffHi,
Sorry for the late reply,
If you are position to build SoapUI from source, then you can apply the changes in this pull request, which will address the issue, and will be included in the next release
https://github.com/SmartBear/soapui/pull/886
This
