Hello Thyagarajan, `secur...@logging.apache.org` list is used for vulnerability reports, not user questions. Please use `log4j-user@logging.apache.org` mailing list for your questions.
Below I try to answer your questions: > 1) Is there any script or command to verify which application utilizes log4j version No, there is no such one-size-fits-all script or command. > 2) do we have any steps how to upgrade Log4j version from lesser version to fix version > Old version: 2.16.0 -> Upgrade to 2.17.1 > Old version less than 2.12.4 -> Upgrade to 2.12.4 > Old version less than 2.3.2 -> Upgrade to 2.3.2 I think there is a slight mistake in your reasoning. Every Log4j 2 user is recommended to upgrade to the latest version, that is, 2.17.1, which requires Java 8. For those who cannot upgrade to 2.17.1 due to Java compatibility reasons, they are recommended to upgrade to 2.12.4 for Java 7 and 2.3.2 for Java 6. On how to upgrade... In most cases, replacing the old log4j-core-2.X.X.jar in your classpath with log4j-core-2.17.1 should simply work. If this doesn't work for you, you can again consult this mailing list. Kind regards. On Fri, Feb 4, 2022 at 4:07 AM Krishnaswami, Thyagarajan < t.krishnasw...@dxc.com> wrote: > Hi Security team, > > I’m from SCCM support team. We do all applications deploy via sccm to > workstation. > > We have many applications support of Log4j. > > Currently , we are identifying the applications which support Log4j and > doing uninstall of that application. > > > > I saw the link . The following log4j has fix. > > https://logging.apache.org/log4j/2.x/security.html > <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flogging.apache.org%2Flog4j%2F2.x%2Fsecurity.html&data=04%7C01%7Cabelloj%40cba.com.au%7C173ca797715f41e5f1b508d9e75e9bf4%7Cdddffba06c174f3497483fa5e08cc366%7C0%7C0%7C637795215817159512%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=PebYvnDY%2BCi8TEdbhVVITp0BVC53wGeXFXofsEy67bA%3D&reserved=0> > > > > > > I need few information. > > > > 1)Is there any script or command to verify which application utilizes > log4j version > > 2) do we have any steps how to upgrade Log4j version from lesser version > to fix version > > Old version: 2.16.0 -> Upgrade to 2.17.1 > > Old version less than 2.12.4 -> Upgrade to 2.12.4 > > Old version less than 2.3.2 -> Upgrade to 2.3.2 > > > > Thanks &Regards, > > Thyagarajan > > M +91 9884337499 > *DXC Technology* > Chennai-600113 > > > dxc.technology <http://www.dxc.technology/> > > > > > DXC Technology Company -- This message is transmitted to you by or on > behalf of DXC Technology Company or one of its affiliates. It is intended > exclusively for the addressee. The substance of this message, along with > any attachments, may contain proprietary, confidential or privileged > information or information that is otherwise legally exempt from > disclosure. Any unauthorized review, use, disclosure or distribution is > prohibited. If you are not the intended recipient of this message, you are > not authorized to read, print, retain, copy or disseminate any part of this > message. If you have received this message in error, please destroy and > delete all copies and notify the sender by return e-mail. Regardless of > content, this e-mail shall not operate to bind DXC Technology Company or > any of its affiliates to any order or other contract unless pursuant to > explicit written agreement or government initiative expressly permitting > the use of e-mail for such purpose. >
