You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@logging.apache.org by "Matt Sicker (Jira)" <ji...@apache.org> on 2021/12/16 22:22:00 UTC

[jira] [Commented] (LOG4J2-3244) version 2.16 affected by CVE-2021-4104

    [ https://issues.apache.org/jira/browse/LOG4J2-3244?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17461071#comment-17461071 ] 

Matt Sicker commented on LOG4J2-3244:
-------------------------------------

This was fixed in 2.12.2 at least. If you're using the JMS appender, make sure to use 2.12.2 for now. If you're not using the JMS appender, then you shouldn't have to worry about this (especially if you don't have a JMS implementation available on your classpath).

> version 2.16 affected by CVE-2021-4104
> --------------------------------------
>
>                 Key: LOG4J2-3244
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-3244
>             Project: Log4j 2
>          Issue Type: Story
>          Components: Appenders
>            Reporter: Alysson Bruno
>            Priority: Major
>              Labels: security
>
> Hi Folk,
> I'm investigating replace my log4j1 to log4j 2.16 because threat found in CVE-2021-4104 ([https://access.redhat.com/security/cve/CVE-2021-4104)] but I search in Javadoc from 2.x and found JMSAppender [here|https://logging.apache.org/log4j/2.x/log4j-core/apidocs/org/apache/logging/log4j/core/appender/mom/JmsAppender.htm]. Is it possible to remove it?



--
This message was sent by Atlassian Jira
(v8.20.1#820001)