[
https://issues.apache.org/jira/browse/LOG4J2-3444?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17511675#comment-17511675
]
Ralph Goers commented on LOG4J2-3444:
-------------------------------------
You contact "Log4j support" by sending emails to the log4j dev list as
documented on our web site. Like many open source projects, no developers are
paid to work on Log4j full time. That said, we do try to be responsive in
fixing issues with Log4j 2.
As Piotr mentions, our recommendation is to use the Log4j 1.x bridge as the
first step in migrating to Log4j 2.
Nessus is correct in that Log4j 1.2.x is no longer supported. RedHat, as well
as other alternative implementations, is not allowed to publish its modified
version of Log4j 1.x to the Maven Central repository using the log4j:log4j
coordinates since it is not published by the Apache Logging Services project. I
suspect (but haven't checked) that their additions have also been done under
the GPL, which is incompatible with the Apache License 2.0.
Given this, I am closing this issue as won't fix since there is nothing we can
do.
> Log4j 1.2 Unsupported Flagging by Nessus
> ----------------------------------------
>
> Key: LOG4J2-3444
> URL: https://issues.apache.org/jira/browse/LOG4J2-3444
> Project: Log4j 2
> Issue Type: Question
> Reporter: Sanjeev Kumar
> Priority: Major
>
> The Apache log4j open source software has a critical security vulnerabilities
> in both major versions (1.x and 2.x). This is highlighted in:
> +[https://logging.apache.org/log4j/2.x/security.html]+
> We have many products deployed in RHEL7 that currently uses log4j version 1.x
> The Nessus Pluggin that scans the security vulnerabilities in products
> declares that Log4j version 1.2 is unsupported. The Pluggin details are in:
> +[https://www.tenable.com/plugins/nessus/156032]+
> This is solely based on Apache Log4j EOL notice to version 1.x and
> recommendation to upgrade to version 2.17+. The details of which are
> available in:
> +[https://blogs.apache.org/foundation/entry/apache_logging_services_project_announces]+
> But RedHat has been supporting deploying patches to version 1.2 to address
> the recent security vulnerabilities and deploying patches as evident in:
> +[https://access.redhat.com/errata/RHSA-2022:0439]+
> Since, we have many third-party products dependent on log4j version 1.2 and
> we need to update these third party products to log4j version 2.x, it is a
> huge development. We plan to upgrade to version 2.x in the future, but until
> then we need to address the Nessus Pluggin scans that is declaring Log4j
> version 1.2 as unsupported, which is clearly incorrect as per RedHat.
> I request Log4j support to work work with Nessus Pluggin support to
> facilitate declaring Log4j version 1.2.17+ as supported and not flag any
> scans from Nessus Pluggin described above to flag the Log4j version 1.2.17+
> as unsupported.. It will give us some time frame to deploying the new Log4j
> 2x.
> Also, if thers any other way to contact Log4j support support in this matter,
> please let me know.
> Thanks,
> Sanjeev
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
