It affects ApacheDS as soon as you decide to change the configuration
file to send the generated logs through a SocketAppender.
By default, we log in a text file.
So, no, this is currently safe.
Now, I think it's about time we ditch log4j1.2 to switch to log4j2.
On the bright side : we haven't yet done that, and that mean ApacheDS is
*not* vulnerable to the 10.0 critical log4shell breach ;-)
On 15/12/2021 14:35, Martin Schuster (IFKL IT OS DC CD) wrote:
While searching for software affected by the current CVE-2021-44228,
I noticed that ADS is shipping with
apacheds-2.0.0.AM26/lib/apacheds-service-2.0.0.AM26.jar
(org/apache/log4j/net/SocketNode.class): log4j 1.2.17
log4j 1.2 is EOL since 2015, and there is a RCE-bug,
https://www.cvedetails.com/cve/CVE-2019-17571/
Could this be exploited? Are there any plans to replace it with a
current version of log4j?
Thanks,
--
*Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
T. +33 (0)4 89 97 36 50
P. +33 (0)6 08 33 32 61
emmanuel.lecha...@busit.com https://www.busit.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@directory.apache.org
For additional commands, e-mail: users-h...@directory.apache.org
