CVE-2021-44228 和 log4j 1.2.17
CVE-2021-44228 and log4j 1.2.17
我使用的是 log4j 1.2.17,我们使用(apache-log4j-extras - 相同版本)。
如果 CVE-2021-44228 是否影响此版本,您能否告诉我?
谢谢
specific vulnerability is not present there. See http://slf4j.org/log4shell.html:
Is log4j 1.x vulnerable?
As log4j 1.x does not offer a look-up mechanism, it does not suffer from CVE-2021-44228. However, note that log4j 1.x is no longer being maintained. Thus, we urge you to migrate to one of its successors such as SLF4J and logback. Do migrate without delaying too much!
Given that log4j version 1.x is still very widely deployed, we have been receiving a steady stream of questions regarding the vulnerability of log4j version 1.x.
As log4j 1.x does not offer a look up mechanism, it does not suffer from CVE-2021-44228.
Having said this, log4j 1.x is no longer being maintained with all the entailed security implications. Thus, we definitely urge you to migrate to one of its successors such as SLF4J/logback, sooner rather than later. But do migrate without waiting for months! Also note that tools exist to automate the migration.
对于版本 1.x.x 的 log4j,如果您在 log4j 配置中使用 JMS Appender,则仅容易受到攻击。 Description of the vulnerability and possible mitigations of cve-2021-44228 在这里解释。
如, as log4j 1.x does not offer a look up mechanism, it does not suffer from CVE-2021-44228. See also https://www.slf4j.org/log4shell.html
所述
还应该提到的是,reload4j 项目修复了 log4j 的突出漏洞 1.x。
我使用的是 log4j 1.2.17,我们使用(apache-log4j-extras - 相同版本)。
如果 CVE-2021-44228 是否影响此版本,您能否告诉我?
谢谢
specific vulnerability is not present there. See http://slf4j.org/log4shell.html:
Is log4j 1.x vulnerable? As log4j 1.x does not offer a look-up mechanism, it does not suffer from CVE-2021-44228. However, note that log4j 1.x is no longer being maintained. Thus, we urge you to migrate to one of its successors such as SLF4J and logback. Do migrate without delaying too much! Given that log4j version 1.x is still very widely deployed, we have been receiving a steady stream of questions regarding the vulnerability of log4j version 1.x.
As log4j 1.x does not offer a look up mechanism, it does not suffer from CVE-2021-44228.
Having said this, log4j 1.x is no longer being maintained with all the entailed security implications. Thus, we definitely urge you to migrate to one of its successors such as SLF4J/logback, sooner rather than later. But do migrate without waiting for months! Also note that tools exist to automate the migration.
对于版本 1.x.x 的 log4j,如果您在 log4j 配置中使用 JMS Appender,则仅容易受到攻击。 Description of the vulnerability and possible mitigations of cve-2021-44228 在这里解释。
如
还应该提到的是,reload4j 项目修复了 log4j 的突出漏洞 1.x。