You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@logging.apache.org by "Volkan Yazici (Jira)" <ji...@apache.org> on 2021/12/13 08:08:00 UTC

[jira] [Commented] (LOG4J2-3209) Is Log4j 1.2.16 at risk for the CVE-2021-44228 bug

    [ https://issues.apache.org/jira/browse/LOG4J2-3209?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458199#comment-17458199 ] 

Volkan Yazici commented on LOG4J2-3209:
---------------------------------------

[~bbauley], Log4j 1 and Log4j 2 are two totally different beasts. Log4j 1 has reached its end of life in 2015. I think, you are already taking quite some risk by using such an outdated software.

Regarding your question, no, *Log4j 1 is not affected by CVE-2021-44228*. Log4j 1 has certain configurations where JNDI was employed, yet, to the best of my knowledge, none expose a known vulnerability.

> Is Log4j 1.2.16 at risk for the CVE-2021-44228 bug
> --------------------------------------------------
>
>                 Key: LOG4J2-3209
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-3209
>             Project: Log4j 2
>          Issue Type: Question
>            Reporter: Brandon Bauley
>            Priority: Critical
>             Fix For: 2.15.0
>
>
> Hello,
> We currently are using an application that's running log4j 1.2.16 and I don't see a direct mention if this version is affected by CVE-2021-44228 or not. I understand that 1.2.16 hasn't been supported for a while now, but I'm hoping I could still get your guys' thoughts on it all since I believe it will take some time before we can upgrade this to the newest version where this is fixed. 
> I'm seeing different responses so far where SLF4J has mentioned, "As log4j 1.x does not offer a look up mechanism, it does not suffer from CVE-2021-44228 in any shape or form."(see [http://slf4j.org/log4shell.html),] but I also see on your guys' website in the description of CVE-2021-44228 that all prior versions before 2.10 can be mitigated by removing the JndiLookup class from the classpath.(see [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228).]
>  
> Could I get a confirmation if mitigation is needed for this version of log4j? 
> Thanks so much,
> Brandon



--
This message was sent by Atlassian Jira
(v8.20.1#820001)