Hello, Please use log4j-user@logging.apache.org mailing list for questions, so that others can benefit too. security@ mailing list is used for reporting vulnerabilities.
Log4j1 and Log4j2 are two totally separate code bases. The vulnerabilities affecting them are different too, hence those are assigned to different CVEs. If I understand correctly, initially, your application had a `log4j.xml` (Log4j1 configuration) and `log4j-1.2.17.jar` (Log4j1 itself). Log4j1 reached its end-of-life in 2015 and has not been maintained since then, putting aside both known and unknown vulnerabilities associated with it. Hence we strongly recommend you to move away from Log4j1. As you have also noted, you can upgrade to Log4j2 in various ways <https://logging.apache.org/log4j/2.x/manual/migration.html>, of which using the `log4j-1.2-api` bridge is one of them. In this method, you will end up having a Log4j1 configuration (`log4j.xml`), `log4j-1.2-api` and `log4j-core` JARs. Since these two JARs are part of Log4j2, now you are subject to Log4j2 vulnerabilities. Put another way, your project doesn't depend on Log4j1 anymore and hence, is not prone to Log4j1 vulnerabilities. That is why, once you employ `log4j-1.2-api` and `log4j-core`, you should upgrade both JARs to the most recent Log4j2 version. Kind regards. On Tue, Jan 4, 2022 at 7:12 AM 이초 <pplx...@gmail.com> wrote: > Hello. > Please forgive me for using a translator. > > I am using Log4j version 1.x and upgrading to Log4j version 2 is in > progress. > There is a way to remove the class file, but internally, upgrading is > recommended. It was a difficult situation to upgrade because it was a > legacy system, but it was confirmed that it works normally with the > log4j-1.2-api bridge function. The problem is that the official document or > the document of public institutions says to upgrade, and there is no > information about whether it can be handled with the bridge function. > It is said that only the official content is recognized internally, but I > wonder if the current security issue and the problem of the previous 1.x > version will be resolved if the bridge method is used to handle the latest > version 2.17. > And is it possible to announce this content on the apache logging site, > even briefly? > I know you are busy, but please check it. happy New Year. thank you. >
