You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@logging.apache.org by "Volkan Yazici (Jira)" <ji...@apache.org> on 2021/12/13 21:24:00 UTC

[jira] [Commented] (LOG4J2-3220) CVE-2021-44228

    [ https://issues.apache.org/jira/browse/LOG4J2-3220?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458726#comment-17458726 ] 

Volkan Yazici commented on LOG4J2-3220:
---------------------------------------

Log4j 1.x is not affected by CVE-2021-44228. This said, _an attacker having write access to the configuration files_ can alter the JMS appender setup in Log4j 1.x for exfiltration.

> CVE-2021-44228
> --------------
>
>                 Key: LOG4J2-3220
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-3220
>             Project: Log4j 2
>          Issue Type: Question
>          Components: API
>    Affects Versions: 2.15.0
>            Reporter: Abdullah AbuHijleh
>            Priority: Major
>
> Hello,
>  
> Regarding [CVE-2021-44228]can you please confirm it is not affecting Log4j 1.x because we still have many customers using it?
>  
> Thanks



--
This message was sent by Atlassian Jira
(v8.20.1#820001)