[
https://issues.apache.org/jira/browse/DIRSERVER-2362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17474653#comment-17474653
]
Michael commented on DIRSERVER-2362:
------------------------------------
Yes, specific vulnerability includes Log4Shell, JNDI Lookup.
According to this article, log4j1.x doesn't offer JNDI lookup but it does come
with JMSAppender which can also be vulnerable for an attack.
[https://www.slf4j.org/log4shell.html]
Do you know if ApacheDS log4j1.2 use JMSAppender? or any other possible
vulnerability?
In addition, is there a plan for ApacheDS to move to newer log4j2 version that
resolves these security vulnerabilities?
> ApacheDS 2.0.0-M17 references older log4j that has security vulnerabilities
> ---------------------------------------------------------------------------
>
> Key: DIRSERVER-2362
> URL: https://issues.apache.org/jira/browse/DIRSERVER-2362
> Project: Directory ApacheDS
> Issue Type: Bug
> Affects Versions: 2.0.0-M17
> Reporter: Michael
> Priority: Major
>
> ApacheDS 2.0.0-M17 (apacheds-service-2.0.0-M17.jar) references older log4j
> version that might have security vulnerabilities.
> Does ApacheDS 2.0.0-M17 log4j reference have security vulnerabilities?
> Is there a newer ApacheDS version that uses newer log4j2 that resolves the
> security vulnerabilities?
>
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
