Thanks for these questions. Yes, if you move to Log4j 2.17.1 and use those 3 jars then all Log4j CVEs (both 1.x and 2.x) will have been resolved.
How well the log4j-1.2-api works for you will depend on how many customizations you made around Log4j 1.x. The API has always worked well that just did their logging against the Log4j 1.x Logger class and didn’t customize anything. Recently we have been improving the migration support to support users who created their own custom components and need to use the log4j 1.x configuration files. But these enhancements would not be in 2.12.x releases For the appropriate information you should consult the Log4j 2 websites. All prior versions of the web site are available based on the version number. For example, the migration information for 2.12.4 can be found at https://logging.apache.org/log4j/log4j-2.12.4/manual/migration.html. Without knowing your application it would be impossible for me to say whether using log4j-1.2-api will be sufficient to migrate your application to Log4j 2, especially at older releases. I am afraid that you will have to test it to see. Ralph > On Jan 15, 2022, at 8:56 PM, 이초 <pplx...@gmail.com> wrote: > > Hello > We are currently using the log4j1.x version for the Legacy System and are > trying to upgrade to the latest version. > We removed the class file, which is a temporary measure, but we recommend > upgrading it later. > Unfortunately, if we simply change the jar file log4j1.x to log4j2.17.1, > other old library cause problems. > So, using the Log4j1.x bridge (log4j-1.2-api) way on the link to > https://logging.apache.org/log4j/2.x/manual/migration.html, > It works normally. > If we use the bridge way like this, can we solve the security issue of > log4j1.x and the security issue of log4j2 at once? > There are only three log4j items on the project. > log4j-api-2.17.1.jar > log4j-core-2.17.1.jar > log4j-1.2-api-2.17.1.jar > > I don't think there will be a problem, but we want official answers about > the bridge way. > The above version is based on JDK8, and will the JDK6 and JDK7 solve this > problem if we process the latest version released on the site the same? > > We are looking forward to your answer about this problem. > If there is no additional problem, Can I officially use the answer? > Or is it possible to add content to the apache logging site? > > I would like to hear from you about my email. > Thank you. --------------------------------------------------------------------- To unsubscribe, e-mail: log4j-user-unsubscr...@logging.apache.org For additional commands, e-mail: log4j-user-h...@logging.apache.org