Sanjeev Kumar created LOG4J2-3444:
-------------------------------------
Summary: Log4j 1.2 Unsupported Flagging by Nessus
Key: LOG4J2-3444
URL: https://issues.apache.org/jira/browse/LOG4J2-3444
Project: Log4j 2
Issue Type: Question
Reporter: Sanjeev Kumar
The Apache log4j open source software has a critical security vulnerabilities
in both major versions (1.x and 2.x). This is highlighted in:
+[https://logging.apache.org/log4j/2.x/security.html]+
We have many products deployed in RHEL7 that currently uses log4j version 1.x
The Nessus Pluggin that scans the security vulnerabilities in products declares
that Log4j version 1.2 is unsupported. The Pluggin details are in:
+[https://www.tenable.com/plugins/nessus/156032]+
This is solely based on Apache Log4j EOL notice to version 1.x and
recommendation to upgrade to version 2.17+. The details of which are available
in:
+[https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces]+
But RedHat has been supporting deploying patches to version 1.2 to address the
recent security vulnerabilities and deploying patches as evident in:
+[https://access.redhat.com/errata/RHSA-2022:0439]+
Since, we have many third-party products dependent on log4j version 1.2 and we
need to update these third party products to log4j version 2.x, it is a huge
development. We plan to upgrade to version 2.x in the future, but until then we
need to address the Nessus Pluggin scans that is declaring Log4j version 1.2 as
unsupported, which is clearly incorrect as per RedHat.
I request Log4j support to work work with Nessus Pluggin support to facilitate
declaring Log4j version 1.2.17+ as supported and not flag any scans from Nessus
Pluggin described above to flag the Log4j version 1.2.17+ as unsupported.. It
will give us some time frame to deploying the new Log4j 2x.
Also, if thers any other way to contact Log4j support support in this matter,
please let me know.
Thanks,
Sanjeev
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
