[
https://issues.apache.org/jira/browse/LOG4J2-3209?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17458199#comment-17458199
]
Volkan Yazici commented on LOG4J2-3209:
---------------------------------------
[~bbauley], Log4j 1 and Log4j 2 are two totally different beasts. Log4j 1 has
reached its end of life in 2015. I think, you are already taking quite some
risk by using such an outdated software.
Regarding your question, no, *Log4j 1 is not affected by CVE-2021-44228*. Log4j
1 has certain configurations where JNDI was employed, yet, to the best of my
knowledge, none expose a known vulnerability.
> Is Log4j 1.2.16 at risk for the CVE-2021-44228 bug
> --------------------------------------------------
>
> Key: LOG4J2-3209
> URL: https://issues.apache.org/jira/browse/LOG4J2-3209
> Project: Log4j 2
> Issue Type: Question
> Reporter: Brandon Bauley
> Priority: Critical
> Fix For: 2.15.0
>
>
> Hello,
> We currently are using an application that's running log4j 1.2.16 and I don't
> see a direct mention if this version is affected by CVE-2021-44228 or not. I
> understand that 1.2.16 hasn't been supported for a while now, but I'm hoping
> I could still get your guys' thoughts on it all since I believe it will take
> some time before we can upgrade this to the newest version where this is
> fixed.
> I'm seeing different responses so far where SLF4J has mentioned, "As log4j
> 1.x does not offer a look up mechanism, it does not suffer from
> CVE-2021-44228 in any shape or form."(see [http://slf4j.org/log4shell.html),]
> but I also see on your guys' website in the description of CVE-2021-44228
> that all prior versions before 2.10 can be mitigated by removing the
> JndiLookup class from the classpath.(see
> [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228).]
>
> Could I get a confirmation if mitigation is needed for this version of log4j?
> Thanks so much,
> Brandon
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
