SOAPUI 5.9.1 Still Includes Log4j 2.17.1 — When Will an Updated Version Be Released?

Hello Team,

We are currently working through remediation of Log4j vulnerabilities in our environment. As part of this effort, we downloaded and installed the latest available SOAPUI Open Source version (5.9.1). However, after installation, we observed that the Log4j library bundled with SOAPUI is still version 2.17.1.

Our internal security scanners continue to report vulnerabilities for Log4j and require us to upgrade to Log4j 2.25.3 or later, but SOAPUI does not appear to include that updated version.

We would appreciate clarification on the following:

Is Log4j 2.17.1 considered vulnerable within the context of SOAPUI Open Source, or is it considered safe/supported by SmartBear in this product?
If it is not vulnerable in this context, can this be safely ignored or suppressed from a security standpoint?
If it is considered vulnerable, is there an upcoming SOAPUI Open Source release planned that includes Log4j 2.25.3 or newer?
If no such release is planned, could you provide recommended remediation steps (for example, instructions for upgrading or replacing the Log4j libraries manually, if supported)?

Currently, we are unable to meet security compliance requirements because SOAPUI 5.9.1 continues to ship with Log4j 2.17.1. Any guidance on timelines or supported workarounds would be greatly appreciated.

Thank you.

Forum Discussion

SOAPUI 5.9.1 Still Includes Log4j 2.17.1 — When Will an Updated Version Be Released?

Recent Discussions

SOAPUI 5.9.1 Still Includes Log4j 2.17.1 — When Will an Updated Version Be Released?

20 years of SoapUI - Share your story

SoapUI 5.9.1 displays "[]" as "<Empty JSON content>"

Related Content

Don't update Chome to v140

Updating Test Complete version

'Project not defined' errors after updating to 15.77.6.7