You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@logging.apache.org by GitBox <gi...@apache.org> on 2021/12/10 12:07:48 UTC

[GitHub] [logging-log4j2] Baoqi removed a comment on pull request #608: Restrict LDAP access via JNDI

Baoqi removed a comment on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990861408


   > @Baoqi so this CVE impact log4j v 1.xx only if app is using JMSAddapter in log4j configuration(log4j.properties) or not?
   
   @sysmat   I don't have answer for this, as I'm not familiar with log4j.  Based on my limited knowledge, the  well-known explode steps for the CVE-2021-44228 only work for log4j 2.x (before 2.15.0). But can not explode against log4j 1.2.17.  So, it may not be affected.  But, as mentioned by remkop:  "Also note that Log4j 1.x is End of Life and has other security vulnerabilities that will not be fixed.",   so,  log4j 1.2.17 may have other known or unknown vulnerabilities.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@logging.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org