You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@commons.apache.org by Azeemuddin Khaja <ak...@my.uno.edu> on 2021/12/14 19:51:01 UTC
Does logging_1.2.jar have the vulnerability recently identified with Log4j?
We have org.apache.commons.logging_1.2.jar deployed with some of our apps (as its bundled with POI library) and want to confirm if this is impacted by CVE-2021-44228. It looks like logging_1.2 has a class called Log4JLogger.class and would like to confirm if this has the same vulnerability that has been identified with Log4j (https://www.oracle.com/security-alerts/alert-cve-2021-44228.html).
Thanks.
NOTICE: This message, including all attachments transmitted with it, is intended solely for the use of the Addressee(s) and may contain information that is PRIVILEGED, CONFIDENTIAL, and/or EXEMPT FROM DISCLOSURE under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein is STRICTLY PROHIBITED. If you received this communication in error, please destroy all copies of the message, whether in electronic or hard copy format, as well as attachments and immediately contact the sender by replying to this email or contact the sender at the telephone numbers listed above. Thank you!
Re: Does logging_1.2.jar have the vulnerability recently identified with Log4j?
Posted by Gary Gregory <ga...@gmail.com>.
No, you are talking about Apache Commons Logging. The CVE is against,
Apache Log4j. Commons Logging is an API that is backed by an implementation
like Log4j, you will need to audit your application to see what logging
implementation it uses.
Gary
On Tue, Dec 14, 2021, 14:51 Azeemuddin Khaja <ak...@my.uno.edu> wrote:
> We have org.apache.commons.logging_1.2.jar deployed with some of our apps
> (as its bundled with POI library) and want to confirm if this is impacted
> by CVE-2021-44228. It looks like logging_1.2 has a class called
> Log4JLogger.class and would like to confirm if this has the same
> vulnerability that has been identified with Log4j (
> https://www.oracle.com/security-alerts/alert-cve-2021-44228.html).
>
> Thanks.
>
> NOTICE: This message, including all attachments transmitted with it, is
> intended solely for the use of the Addressee(s) and may contain information
> that is PRIVILEGED, CONFIDENTIAL, and/or EXEMPT FROM DISCLOSURE under
> applicable law. If you are not the intended recipient, you are hereby
> notified that any disclosure, copying, distribution, or use of the
> information contained herein is STRICTLY PROHIBITED. If you received this
> communication in error, please destroy all copies of the message, whether
> in electronic or hard copy format, as well as attachments and immediately
> contact the sender by replying to this email or contact the sender at the
> telephone numbers listed above. Thank you!
>