[jira] [Commented] (LOG4J2-3444) Log4j 1.2 Unsupported Flagging by Nessus

Wed, 23 Mar 2022 12:42:15 -0700 


    [ 
https://issues.apache.org/jira/browse/LOG4J2-3444?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17511458#comment-17511458
 ] 

Gary D. Gregory commented on LOG4J2-3444:
-----------------------------------------

I do not see that we have to get in between two companies' businesses. You 
should contact them.

> Log4j 1.2 Unsupported Flagging by Nessus
> ----------------------------------------
>
>                 Key: LOG4J2-3444
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-3444
>             Project: Log4j 2
>          Issue Type: Question
>            Reporter: Sanjeev Kumar
>            Priority: Major
>
> The Apache log4j open source software has a critical security vulnerabilities 
> in both major versions (1.x and 2.x). This is highlighted in:
> +[https://logging.apache.org/log4j/2.x/security.html]+
> We have many products deployed in RHEL7 that currently uses log4j version 1.x
> The Nessus Pluggin that scans the security vulnerabilities in products 
> declares that Log4j version 1.2 is unsupported. The Pluggin details are in:
> +[https://www.tenable.com/plugins/nessus/156032]+
> This is solely based on Apache Log4j EOL notice to version 1.x and 
> recommendation to upgrade to version 2.17+. The details of which are 
> available in:
> +[https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces]+
> But RedHat has been supporting deploying patches to version 1.2 to address 
> the recent security vulnerabilities and deploying patches as evident in:
> +[https://access.redhat.com/errata/RHSA-2022:0439]+
> Since, we have many third-party products dependent on log4j version 1.2 and 
> we need to update these third party products to log4j version 2.x, it is a 
> huge development. We plan to upgrade to version 2.x in the future, but until 
> then we need to address the Nessus Pluggin scans that is declaring Log4j 
> version 1.2 as unsupported, which is clearly incorrect as per RedHat.
> I request Log4j support to work work with Nessus Pluggin support to  
> facilitate declaring Log4j version 1.2.17+ as supported and not flag any 
> scans from Nessus Pluggin described above to flag the Log4j version 1.2.17+ 
> as unsupported.. It will give us some time frame to deploying the new Log4j 
> 2x. 
> Also, if thers any other way to contact Log4j support support in this matter, 
> please let me know.
> Thanks,
> Sanjeev
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to