ceki removed a comment on pull request #608: URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-991796194
> > When there are literally millions of log4j 1.x users out there, can you stop toying around? > > There is no lookup expansion in log4j 1.x and it does not suffer from [CVE-2021-44228](https://github.com/advisories/GHSA-jfh8-c2jp-5v3q). How hard is it to admit? > > Hi @ceki, thank you for clarifying that Log4j 1.x is not impacted by this vulnerability. I updated my previous comments by linking to [your analysis on Twitter](https://twitter.com/ceki/status/1469449618316533762), happy to link to other sources as well. There are actually two vulnerabilities. The one outlined here and CVE-2021-44228. Log4j 1.x is not vulnerable to CVE-2021-44228. However, it is vulnerable to lesser JNDI injection exploits, that is to an attacker already having write access to its config file. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@logging.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
