[
https://issues.apache.org/jira/browse/LOG4J2-3209?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Volkan Yazici resolved LOG4J2-3209.
-----------------------------------
Fix Version/s: (was: 2.15.0)
Resolution: Resolved
> Is Log4j 1.2.16 at risk for the CVE-2021-44228 bug
> --------------------------------------------------
>
> Key: LOG4J2-3209
> URL: https://issues.apache.org/jira/browse/LOG4J2-3209
> Project: Log4j 2
> Issue Type: Question
> Reporter: Brandon Bauley
> Priority: Critical
>
> Hello,
> We currently are using an application that's running log4j 1.2.16 and I don't
> see a direct mention if this version is affected by CVE-2021-44228 or not. I
> understand that 1.2.16 hasn't been supported for a while now, but I'm hoping
> I could still get your guys' thoughts on it all since I believe it will take
> some time before we can upgrade this to the newest version where this is
> fixed.
> I'm seeing different responses so far where SLF4J has mentioned, "As log4j
> 1.x does not offer a look up mechanism, it does not suffer from
> CVE-2021-44228 in any shape or form."(see [http://slf4j.org/log4shell.html),]
> but I also see on your guys' website in the description of CVE-2021-44228
> that all prior versions before 2.10 can be mitigated by removing the
> JndiLookup class from the classpath.(see
> [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228).]
>
> Could I get a confirmation if mitigation is needed for this version of log4j?
> Thanks so much,
> Brandon
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
