[ https://issues.apache.org/jira/browse/LOG4J2-3444?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17511458#comment-17511458 ]
Gary D. Gregory commented on LOG4J2-3444: ----------------------------------------- I do not see that we have to get in between two companies' businesses. You should contact them. > Log4j 1.2 Unsupported Flagging by Nessus > ---------------------------------------- > > Key: LOG4J2-3444 > URL: https://issues.apache.org/jira/browse/LOG4J2-3444 > Project: Log4j 2 > Issue Type: Question > Reporter: Sanjeev Kumar > Priority: Major > > The Apache log4j open source software has a critical security vulnerabilities > in both major versions (1.x and 2.x). This is highlighted in: > +[https://logging.apache.org/log4j/2.x/security.html]+ > We have many products deployed in RHEL7 that currently uses log4j version 1.x > The Nessus Pluggin that scans the security vulnerabilities in products > declares that Log4j version 1.2 is unsupported. The Pluggin details are in: > +[https://www.tenable.com/plugins/nessus/156032]+ > This is solely based on Apache Log4j EOL notice to version 1.x and > recommendation to upgrade to version 2.17+. The details of which are > available in: > +[https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces]+ > But RedHat has been supporting deploying patches to version 1.2 to address > the recent security vulnerabilities and deploying patches as evident in: > +[https://access.redhat.com/errata/RHSA-2022:0439]+ > Since, we have many third-party products dependent on log4j version 1.2 and > we need to update these third party products to log4j version 2.x, it is a > huge development. We plan to upgrade to version 2.x in the future, but until > then we need to address the Nessus Pluggin scans that is declaring Log4j > version 1.2 as unsupported, which is clearly incorrect as per RedHat. > I request Log4j support to work work with Nessus Pluggin support to > facilitate declaring Log4j version 1.2.17+ as supported and not flag any > scans from Nessus Pluggin described above to flag the Log4j version 1.2.17+ > as unsupported.. It will give us some time frame to deploying the new Log4j > 2x. > Also, if thers any other way to contact Log4j support support in this matter, > please let me know. > Thanks, > Sanjeev > -- This message was sent by Atlassian Jira (v8.20.1#820001)