[ https://issues.apache.org/jira/browse/LOG4J2-3444?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17511518#comment-17511518 ]
Piotr Karwasz commented on LOG4J2-3444: --------------------------------------- You can try replacing {{log4j}} with the [Log4j 1.x bridge|https://logging.apache.org/log4j/2.x/manual/migration.html], which provides binary compatibility with the most common Log4j 1.x usages. Is it flagged by your security scanner? > Log4j 1.2 Unsupported Flagging by Nessus > ---------------------------------------- > > Key: LOG4J2-3444 > URL: https://issues.apache.org/jira/browse/LOG4J2-3444 > Project: Log4j 2 > Issue Type: Question > Reporter: Sanjeev Kumar > Priority: Major > > The Apache log4j open source software has a critical security vulnerabilities > in both major versions (1.x and 2.x). This is highlighted in: > +[https://logging.apache.org/log4j/2.x/security.html]+ > We have many products deployed in RHEL7 that currently uses log4j version 1.x > The Nessus Pluggin that scans the security vulnerabilities in products > declares that Log4j version 1.2 is unsupported. The Pluggin details are in: > +[https://www.tenable.com/plugins/nessus/156032]+ > This is solely based on Apache Log4j EOL notice to version 1.x and > recommendation to upgrade to version 2.17+. The details of which are > available in: > +[https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces]+ > But RedHat has been supporting deploying patches to version 1.2 to address > the recent security vulnerabilities and deploying patches as evident in: > +[https://access.redhat.com/errata/RHSA-2022:0439]+ > Since, we have many third-party products dependent on log4j version 1.2 and > we need to update these third party products to log4j version 2.x, it is a > huge development. We plan to upgrade to version 2.x in the future, but until > then we need to address the Nessus Pluggin scans that is declaring Log4j > version 1.2 as unsupported, which is clearly incorrect as per RedHat. > I request Log4j support to work work with Nessus Pluggin support to > facilitate declaring Log4j version 1.2.17+ as supported and not flag any > scans from Nessus Pluggin described above to flag the Log4j version 1.2.17+ > as unsupported.. It will give us some time frame to deploying the new Log4j > 2x. > Also, if thers any other way to contact Log4j support support in this matter, > please let me know. > Thanks, > Sanjeev > -- This message was sent by Atlassian Jira (v8.20.1#820001)