Baoqi removed a comment on pull request #608: URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990861408
> @Baoqi so this CVE impact log4j v 1.xx only if app is using JMSAddapter in log4j configuration(log4j.properties) or not? @sysmat I don't have answer for this, as I'm not familiar with log4j. Based on my limited knowledge, the well-known explode steps for the CVE-2021-44228 only work for log4j 2.x (before 2.15.0). But can not explode against log4j 1.2.17. So, it may not be affected. But, as mentioned by remkop: "Also note that Log4j 1.x is End of Life and has other security vulnerabilities that will not be fixed.", so, log4j 1.2.17 may have other known or unknown vulnerabilities. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@logging.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
