JNDI is a Java API (Java Naming and Directory Interface) for abstracting various networking APIs like LDAP, DNS, etc. It’s not present in .NET or C++ (or any non-JVM language), so it does not affect log4net or log4cxx. -- Matt Sicker
> On Dec 14, 2021, at 08:54, David Schwartz <david.schwa...@ni.com> wrote: > > Hi Joe, > > Adding to what Davyd wrote. I just searched the codebase and the JndiLookup > class (where the log4j vulnerability was found) does not exist in log4net. > In fact, there is no code related to jndi at all as far as I can see. > > David > > -----Original Message----- > From: Davyd McColl <dav...@gmail.com <mailto:dav...@gmail.com>> > Sent: Tuesday, December 14, 2021 4:10 PM > To: dev@logging.apache.org <mailto:dev@logging.apache.org> > Subject: [EXTERNAL] Re: log4net > > Hi Joe > > No, it shouldn't, particularly because we're very different projects, on very > different platforms, and I understand that the log4j vuln is largely linked > to a _dependency_ of log4j. The closest we've had was an xml vuln that was > patched some time ago. > > That being said, I'm currently the only maintainer and I definitely have > written the least code in log4net, so if you or anyone else would like to > audit for vulnerabilities (and, even better, PR mitigations), I'm all for it. > > -d > > > On December 14, 2021 16:03:39 Joe Kelly <joe.ke...@okcu.org> wrote: > >> I was wondering if the log4net service has a similar vulnerability as >> log4j. There isn't any information on the log4net security page and >> the current version of 2.0.13 doesn't match the log4j version of 2.16.0. >> >> Joe Kelly >> Information Security Analyst >> P: 405.763.5425 >> F: 405.602.6337 >> https://urldefense.com/v3/__http://www.okcu.org__;!!FbZ0ZwI3Qg!6hdye55 >> <https://urldefense.com/v3/__http://www.okcu.org__;!!FbZ0ZwI3Qg!6hdye55> >> e93GuHBF0X4qMKophICSr0Nb5ggI6RBgb2lJoysQv8jdWynWoouaTpixMWg$ >> <https://urldefense.com/v3/__https://www.okcu.org__;!!FbZ0ZwI3Qg!6hdye >> <https://urldefense.com/v3/__https://www.okcu.org__;!!FbZ0ZwI3Qg!6hdye> >> 55e93GuHBF0X4qMKophICSr0Nb5ggI6RBgb2lJoysQv8jdWynWoouYBYxYhmg$ > >> >> joe.ke...@okcu.org <mailto:joe.ke...@okcu.org> <mailto:joe.ke...@okcu.org >> <mailto:joe.ke...@okcu.org>> Oklahoma's Credit Union >> Happy to Help(r) >> >> >> >> >> >> ________________________________ >> >> NOTICE: >> This e-mail is intended solely for the use of the individual to whom >> it is addressed and may contain information that is privileged, >> confidential or otherwise exempt from disclosure. If the reader of >> this e-mail is not the intended recipient or the employee or agent >> responsible for delivering the message to the intended recipient, you >> are hereby notified that any dissemination, distribution, or copying >> of this communication is strictly prohibited. If you have received >> this communication in error, please immediately notify us by replying >> to the original message at the listed email address. >> >> Happy to Help >> Oklahoma's Credit Union >> https://urldefense.com/v3/__http://www.okcu.org__;!!FbZ0ZwI3Qg!6hdye55 >> <https://urldefense.com/v3/__http://www.okcu.org__;!!FbZ0ZwI3Qg!6hdye55> >> e93GuHBF0X4qMKophICSr0Nb5ggI6RBgb2lJoysQv8jdWynWoouaTpixMWg$ > > INTERNAL - NI CONFIDENTIAL
