No, you are talking about Apache Commons Logging. The CVE is against, Apache Log4j. Commons Logging is an API that is backed by an implementation like Log4j, you will need to audit your application to see what logging implementation it uses.
Gary On Tue, Dec 14, 2021, 14:51 Azeemuddin Khaja <[email protected]> wrote: > We have org.apache.commons.logging_1.2.jar deployed with some of our apps > (as its bundled with POI library) and want to confirm if this is impacted > by CVE-2021-44228. It looks like logging_1.2 has a class called > Log4JLogger.class and would like to confirm if this has the same > vulnerability that has been identified with Log4j ( > https://www.oracle.com/security-alerts/alert-cve-2021-44228.html). > > Thanks. > > NOTICE: This message, including all attachments transmitted with it, is > intended solely for the use of the Addressee(s) and may contain information > that is PRIVILEGED, CONFIDENTIAL, and/or EXEMPT FROM DISCLOSURE under > applicable law. If you are not the intended recipient, you are hereby > notified that any disclosure, copying, distribution, or use of the > information contained herein is STRICTLY PROHIBITED. If you received this > communication in error, please destroy all copies of the message, whether > in electronic or hard copy format, as well as attachments and immediately > contact the sender by replying to this email or contact the sender at the > telephone numbers listed above. Thank you! >
