Hi Alexandre, On 14/12/2021 11:51, Alexandre Rossi wrote: > tag 1001684 moreinfo > thanks > > Hi, > >> According to https://github.com/jagornet/dhcp/issues/20 , log4j 1.2 is >> vulnerable to CVE-2019-17571, so davmail should use log4j 2.15 or 2.16 >> instead. > > According to the debian security tracker[1], this has been fixed in > log4j so davmail uses a fixed version. > https://security-tracker.debian.org/tracker/source-package/apache-log4j1.2
ok that's good news :-) > > Do you have exploit code that works against davmail or any other clue > that davmail needs fixing? Unfortunately not. I only stumbled upon this when examining our servers for instances vulnerable to CVE-2021-44228. Forums seem to claim that versions log4j versions 1 are not safe either (different vulnerabilities), but without giving any specifics. However, log4j team itself says versions 1.x are "end of life" and should be avoided. So, it's more a case of "better be safe than sorry" than any concrete exploit. Also, since a while already, Java now has its own internal logging framework (java.util.logging.Logger), so there should be less and less reason to use potentially unsafe third-party logging libraries (but switching to java's internal logging might be more difficult to do in the short run than just upgrading to a newer version). > > Thanks, > > Alex > Regards, -- Alain Knaff Ingénieur Informaticien LE GOUVERNEMENT DU GRAND-DUCHÉ DE LUXEMBOURG Ministère de l'Environnement, du Climat et du Développement durable Administration de l'environnement 1, avenue du Rock'n'Roll . L-4361 Esch-sur-Alzette Tél. (+352) 40 56 56-309 E-Mail: alain.kn...@aev.etat.lu www.emwelt.lu . www.environnement.public.lu . www.luxembourg.lu
