You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@logging.apache.org by anchit parmar <an...@idbiintech.com.INVALID> on 2022/01/20 14:12:17 UTC
Is log4j 2.12.4
Dear Team,
Please confim if 2.12.4 is vuln to following CVE's
1) <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105>
CVE-2021-45105
2) <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>
CVE-2021-45046
3) <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>
CVE-2021-44228
Also,
As per https://endoflife.date/log4j log4j version 2.12.x has reached its
EOL. The Log4j team no longer supports Java 7.
Please confirm if above statement is true or not.
Warm Regards,
Anchit Parmar
Team Lead - Vulnerability Management & Penetration Testing Practice
Information Security Department
IDBI Intech Limited , IDBI Bank Building, Plot No. 39-41, Sector-11,
CBD Belapur, Navi Mumbai - 400 614 .
Cell- 8779522843
Disclaimer: This e-mail contains privileged information or information belonging to IDBI Intech Ltd and is intended solely for the addressee/s. Access to this email by anyone else is unauthorized. Any copying (whole or partial) or further distribution beyond the original recipient is not intended, and may be unlawful. The recipient acknowledges that IDBI Intech Ltd is unable to exercise control or ensure or guarantee the integrity of the contents of the information contained in e-mail transmissions and further acknowledges that any views expressed in this message are those of the individual sender and are not binding on IDBI Intech Ltd. E-mails are susceptible to alteration and their integrity cannot be guaranteed. IDBI Intech Ltd does not accept any liability for any damages caused on account of this e-mail. If you have received this email in error, please contact the sender and delete the material from your computer.
Re: Is log4j 2.12.4
Posted by Gary Gregory <ga...@gmail.com>.
Hello Anchit,
The only reliable source of information is our security page here
https://logging.apache.org/log4j/2.x/security.html where you will answers
to your questions.
We do not control what other sites say, nor would I want to review the
whole internet; -)
Gary
On Thu, Jan 20, 2022, 09:17 anchit parmar
<an...@idbiintech.com.invalid> wrote:
> Dear Team,
>
>
>
> Please confim if 2.12.4 is vuln to following CVE's
>
> 1) <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105>
> CVE-2021-45105
>
> 2) <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>
> CVE-2021-45046
>
> 3) <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>
> CVE-2021-44228
>
>
>
> Also,
>
> As per https://endoflife.date/log4j log4j version 2.12.x has reached
> its
> EOL. The Log4j team no longer supports Java 7.
>
>
>
> Please confirm if above statement is true or not.
>
>
>
>
>
> Warm Regards,
>
> Anchit Parmar
>
> Team Lead - Vulnerability Management & Penetration Testing Practice
>
> Information Security Department
>
> IDBI Intech Limited , IDBI Bank Building, Plot No. 39-41, Sector-11,
>
> CBD Belapur, Navi Mumbai - 400 614 .
>
> Cell- 8779522843
>
>
>
>
> Disclaimer: This e-mail contains privileged information or information
> belonging to IDBI Intech Ltd and is intended solely for the addressee/s.
> Access to this email by anyone else is unauthorized. Any copying (whole or
> partial) or further distribution beyond the original recipient is not
> intended, and may be unlawful. The recipient acknowledges that IDBI Intech
> Ltd is unable to exercise control or ensure or guarantee the integrity of
> the contents of the information contained in e-mail transmissions and
> further acknowledges that any views expressed in this message are those of
> the individual sender and are not binding on IDBI Intech Ltd. E-mails are
> susceptible to alteration and their integrity cannot be guaranteed. IDBI
> Intech Ltd does not accept any liability for any damages caused on account
> of this e-mail. If you have received this email in error, please contact
> the sender and delete the material from your computer.
>
Re: Is log4j 2.12.4
Posted by Ralph Goers <ra...@dslextreme.com>.
I believe I already answered this off-list.
Ralph
> On Jan 20, 2022, at 7:17 AM, anchit parmar <an...@idbiintech.com.invalid> wrote:
>
> Dear Team,
>
>
>
> Please confim if 2.12.4 is vuln to following CVE's
>
> 1) <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105>
> CVE-2021-45105
>
> 2) <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046>
> CVE-2021-45046
>
> 3) <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228>
> CVE-2021-44228
>
>
>
> Also,
>
> As per https://endoflife.date/log4j log4j version 2.12.x has reached its
> EOL. The Log4j team no longer supports Java 7.
>
>
>
> Please confirm if above statement is true or not.
>
>
>
>
>
> Warm Regards,
>
> Anchit Parmar
>
> Team Lead - Vulnerability Management & Penetration Testing Practice
>
> Information Security Department
>
> IDBI Intech Limited , IDBI Bank Building, Plot No. 39-41, Sector-11,
>
> CBD Belapur, Navi Mumbai - 400 614 .
>
> Cell- 8779522843
>
>
>
>
> Disclaimer: This e-mail contains privileged information or information belonging to IDBI Intech Ltd and is intended solely for the addressee/s. Access to this email by anyone else is unauthorized. Any copying (whole or partial) or further distribution beyond the original recipient is not intended, and may be unlawful. The recipient acknowledges that IDBI Intech Ltd is unable to exercise control or ensure or guarantee the integrity of the contents of the information contained in e-mail transmissions and further acknowledges that any views expressed in this message are those of the individual sender and are not binding on IDBI Intech Ltd. E-mails are susceptible to alteration and their integrity cannot be guaranteed. IDBI Intech Ltd does not accept any liability for any damages caused on account of this e-mail. If you have received this email in error, please contact the sender and delete the material from your computer.