mageshwarang commented on pull request #608: URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990765517
@remkop Thanks for clarifying on the log4j 1.x. One of my old application is still using `log4j-1.2.17` and few of my applications are using `log4j-over-slf4j`. But none of them have any dependencies on the `log4j-core`. So as you had mentioned here, `I believe that applications that use log4j-api with log4j-to-slf4j, without using log4j-core, are not impacted by this vulnerability. (Because the lookup and JNDI implementations are in log4j-core.)` I am not making any changes to my application - Not upgrading it to the `2.15.0` or not adding any system-properties (`log4j2.formatMsgNoLookups=true`) to overcome this vulnerability as my application will not be impacted. Kindly correct me if I am wrong. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@logging.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
