Security Warning: CVE-2021-44228 flagged by Wiz

[islamneddar]

Hi 👋,

I'm opening this issue because my security scanner (Wiz) flagged a potential vulnerability: CVE-2021-44228 (Log4Shell) in a project that uses react-native-get-random-values.

However, this package is JavaScript-based and does not depend on Java or Log4j, which makes me suspect it could be a false positive. The vulnerability is associated with the Java logging library Log4j, but this project doesn't have any relation to Java at all unless in the android package.

Here's the context:

Package: react-native-get-random-values

Dependency tree: indirectly used through @aws-sdk/middleware-retry@3.8.0

Scanner: Wiz

CVE: CVE-2021-44228

Please confirm if this project or any of its dependencies could include Log4j (directly or transitively) ?

[SomethingNew71]

I would also second this issue we are experiencing on a few of our production applications. Could we perhaps get a fix in to address this?

[SomethingNew71]

@LinusU I created a PR to fix this if you would be kind enough to review and merge. :-)