This question has been asked several times now. I'm proposing to update the website so that it is more obvious that log4net and log4xx are not affected.
On Tue, 14 Dec 2021 at 17:48, Matt Sicker <[email protected]> wrote: > JNDI is a Java API (Java Naming and Directory Interface) for abstracting > various networking APIs like LDAP, DNS, etc. It’s not present in .NET or > C++ (or any non-JVM language), so it does not affect log4net or log4cxx. > -- > Matt Sicker > > > On Dec 14, 2021, at 08:54, David Schwartz <[email protected]> wrote: > > > > Hi Joe, > > > > Adding to what Davyd wrote. I just searched the codebase and the > JndiLookup class (where the log4j vulnerability was found) does not exist > in log4net. In fact, there is no code related to jndi at all as far as I > can see. > > > > David > > > > -----Original Message----- > > From: Davyd McColl <[email protected] <mailto:[email protected]>> > > Sent: Tuesday, December 14, 2021 4:10 PM > > To: [email protected] <mailto:[email protected]> > > Subject: [EXTERNAL] Re: log4net > > > > Hi Joe > > > > No, it shouldn't, particularly because we're very different projects, on > very different platforms, and I understand that the log4j vuln is largely > linked to a _dependency_ of log4j. The closest we've had was an xml vuln > that was patched some time ago. > > > > That being said, I'm currently the only maintainer and I definitely have > written the least code in log4net, so if you or anyone else would like to > audit for vulnerabilities (and, even better, PR mitigations), I'm all for > it. > > > > -d > > > > > > On December 14, 2021 16:03:39 Joe Kelly <[email protected]> wrote: > > > >> I was wondering if the log4net service has a similar vulnerability as > >> log4j. There isn't any information on the log4net security page and > >> the current version of 2.0.13 doesn't match the log4j version of 2.16.0. > >> > >> Joe Kelly > >> Information Security Analyst > >> P: 405.763.5425 > >> F: 405.602.6337 > >> https://urldefense.com/v3/__http://www.okcu.org__;!!FbZ0ZwI3Qg!6hdye55 > <https://urldefense.com/v3/__http://www.okcu.org__;!!FbZ0ZwI3Qg!6hdye55> > >> e93GuHBF0X4qMKophICSr0Nb5ggI6RBgb2lJoysQv8jdWynWoouaTpixMWg$ > >> <https://urldefense.com/v3/__https://www.okcu.org__;!!FbZ0ZwI3Qg!6hdye > <https://urldefense.com/v3/__https://www.okcu.org__;!!FbZ0ZwI3Qg!6hdye> > >> 55e93GuHBF0X4qMKophICSr0Nb5ggI6RBgb2lJoysQv8jdWynWoouYBYxYhmg$ > > >> > >> [email protected] <mailto:[email protected]> <mailto: > [email protected] <mailto:[email protected]>> Oklahoma's Credit Union > >> Happy to Help(r) > >> > >> > >> > >> > >> > >> ________________________________ > >> > >> NOTICE: > >> This e-mail is intended solely for the use of the individual to whom > >> it is addressed and may contain information that is privileged, > >> confidential or otherwise exempt from disclosure. If the reader of > >> this e-mail is not the intended recipient or the employee or agent > >> responsible for delivering the message to the intended recipient, you > >> are hereby notified that any dissemination, distribution, or copying > >> of this communication is strictly prohibited. If you have received > >> this communication in error, please immediately notify us by replying > >> to the original message at the listed email address. > >> > >> Happy to Help > >> Oklahoma's Credit Union > >> https://urldefense.com/v3/__http://www.okcu.org__;!!FbZ0ZwI3Qg!6hdye55 > <https://urldefense.com/v3/__http://www.okcu.org__;!!FbZ0ZwI3Qg!6hdye55> > >> e93GuHBF0X4qMKophICSr0Nb5ggI6RBgb2lJoysQv8jdWynWoouaTpixMWg$ > > > > INTERNAL - NI CONFIDENTIAL > > -- Dominik Psenner
