Hi Joe, Adding to what Davyd wrote. I just searched the codebase and the JndiLookup class (where the log4j vulnerability was found) does not exist in log4net. In fact, there is no code related to jndi at all as far as I can see.
David -----Original Message----- From: Davyd McColl <dav...@gmail.com> Sent: Tuesday, December 14, 2021 4:10 PM To: dev@logging.apache.org Subject: [EXTERNAL] Re: log4net Hi Joe No, it shouldn't, particularly because we're very different projects, on very different platforms, and I understand that the log4j vuln is largely linked to a _dependency_ of log4j. The closest we've had was an xml vuln that was patched some time ago. That being said, I'm currently the only maintainer and I definitely have written the least code in log4net, so if you or anyone else would like to audit for vulnerabilities (and, even better, PR mitigations), I'm all for it. -d On December 14, 2021 16:03:39 Joe Kelly <joe.ke...@okcu.org> wrote: > I was wondering if the log4net service has a similar vulnerability as > log4j. There isn't any information on the log4net security page and > the current version of 2.0.13 doesn't match the log4j version of 2.16.0. > > Joe Kelly > Information Security Analyst > P: 405.763.5425 > F: 405.602.6337 > https://urldefense.com/v3/__http://www.okcu.org__;!!FbZ0ZwI3Qg!6hdye55 > e93GuHBF0X4qMKophICSr0Nb5ggI6RBgb2lJoysQv8jdWynWoouaTpixMWg$ > <https://urldefense.com/v3/__https://www.okcu.org__;!!FbZ0ZwI3Qg!6hdye > 55e93GuHBF0X4qMKophICSr0Nb5ggI6RBgb2lJoysQv8jdWynWoouYBYxYhmg$ > > > joe.ke...@okcu.org <mailto:joe.ke...@okcu.org> Oklahoma's Credit Union > Happy to Help(r) > > > > > > ________________________________ > > NOTICE: > This e-mail is intended solely for the use of the individual to whom > it is addressed and may contain information that is privileged, > confidential or otherwise exempt from disclosure. If the reader of > this e-mail is not the intended recipient or the employee or agent > responsible for delivering the message to the intended recipient, you > are hereby notified that any dissemination, distribution, or copying > of this communication is strictly prohibited. If you have received > this communication in error, please immediately notify us by replying > to the original message at the listed email address. > > Happy to Help > Oklahoma's Credit Union > https://urldefense.com/v3/__http://www.okcu.org__;!!FbZ0ZwI3Qg!6hdye55 > e93GuHBF0X4qMKophICSr0Nb5ggI6RBgb2lJoysQv8jdWynWoouaTpixMWg$ INTERNAL - NI CONFIDENTIAL
