remkop edited a comment on pull request #608: URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-990661374
> @remkop Which description is correct ? @linux-ops You are asking me? Well, in my totally objective, completely unbiased opinion, there is no doubt that my comment is correct. ;-) 😜 But it is possible that others have a different opinion. Anyway, jokes aside, I understand that the HackerNews discussion got a bit confusing. However, my [earlier comment does mention](https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126) the reason why we believe Log4j 1.x **_is_** impacted: it contains a JMS Appender which can use JNDI. Also note that Log4j 1.x is [End of Life](https://logging.apache.org/log4j/1.2/) and has [other security vulnerabilities](https://www.cvedetails.com/cve/CVE-2019-17571/) that will not be fixed. **Update (2021-12-11 09:04 JST): according to [this analysis](https://twitter.com/ceki/status/1469449618316533762) by @ceki (the author of log4j 1.x), Log4j 1.x is not impacted, since it does not have lookups, and the JMS Appender only loads Strings from the remote server, not serialized objects.** **Update (2021-12-12 10:09 JST): according to [this analysis](https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301) by @TopStreamsNet, strictly speaking, applications using Log4j 1.x may be impacted if their configuration uses JNDI. However, the risk is much lower.** To summarize: ~~Log4j 1.x is also impacted~~, and we recommend using Log4j 2.15.0 instead. To answer your first question: I believe that applications that use `log4j-api` with `log4j-to-slf4j`, without using `log4j-core`, are not impacted by this vulnerability. (Because the lookup and JNDI implementations are in `log4j-core`.) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
