remkop commented on pull request #608: URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990661374
> @remkop Which description is correct ? @linux-ops You are asking me? Well, in my totally objective, completely unbiased opinion, there is no doubt that my comment is correct. ;-) 😜 But it is possible that others have a different opinion. Anyway, jokes aside, I understand that the HackerNews discussion got a bit confusing. However, my [earlier comment does mention](https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126) the reason why we believe Log4j 1.x **_is_** impacted: it contains a JMS Appender which can use JNDI. Also note that Log4j 1.x is [End of Life](https://logging.apache.org/log4j/1.2/) and has [other security vulnerabilities](https://www.cvedetails.com/cve/CVE-2019-17571/) that will not be fixed. To summarize: Log4j 1.x is also impacted, and we recommend using Log4j 2.15.0 instead. To answer your first question: I believe that applications that use `log4j-api` with `log4j-to-slf4j`, without using `log4j-core`, are not impacted by this vulnerability. (Because the lookup and JNDI implementations are in `log4j-core`.) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
