Most security scanners should be following the version rules that are defined in the CVE.
For all practical purposes the only versions that are CVE free are 2.3.2 (minimum of Java 6), 2.12.4 (minimum of Java 7), and 2.17.1 (minimum of Java 8). These were all released last week. For other versions you would need to look at the mitigations listed in the Log4j security page at https://logging.apache.org/log4j/2.x/security.html. Depending on your configuration it is possible an upgrade might not be necessary but that is unlikely. For example, the most serious issue could be avoided if you weren’t using a PatternLayout, but almost everyone uses that. The “feature” involved the CVE-2021-44228 was present in the very first release of Log4j2 in 2012. Ralph > On Jan 4, 2022, at 7:32 AM, John Lussmyer <cou...@casadelgato.com> wrote: > > We have customers using an OLD version of our product that are now getting > warnings about the Log4j security issue. > What version was that feature added in? > (I suspect that most security scanners are just saying "Is log4j version < > 2.17?") > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: log4j-user-unsubscr...@logging.apache.org > For additional commands, e-mail: log4j-user-h...@logging.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: log4j-user-unsubscr...@logging.apache.org For additional commands, e-mail: log4j-user-h...@logging.apache.org
