Brandon Bauley created LOG4J2-3209:
--------------------------------------
Summary: Is Log4j 1.2.16 at risk for the CVE-2021-44228 bug
Key: LOG4J2-3209
URL: https://issues.apache.org/jira/browse/LOG4J2-3209
Project: Log4j 2
Issue Type: Question
Reporter: Brandon Bauley
Fix For: 2.15.0
Hello,
We currently are using an application that's running log4j 1.2.16 and I don't
see a direct mention if this version is affected by CVE-2021-44228 or not. I
understand that 1.2.16 hasn't been supported for a while now, but I'm hoping I
could still get your guys' thoughts on it all since I believe it will take some
time before we can upgrade this to the newest version where this is fixed.
I'm seeing different responses so far where SLF4J has mentioned, "As log4j 1.x
does not offer a look up mechanism, it does not suffer from CVE-2021-44228 in
any shape or form."(see [http://slf4j.org/log4shell.html),] but I also see on
your guys' website in the description of CVE-2021-44228 that all prior versions
before 2.10 can be mitigated by removing the JndiLookup class from the
classpath.(see [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228).]
Could I get a confirmation if mitigation is needed for this version of log4j?
Thanks so much,
Brandon
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
