On 12/14/21 8:07 AM, Steve Meier wrote:
Hello Steve,
Am 2021-12-14 13:42, schrieb Steve Clark via CentOS:
Hi List,
I see on CentOS 7 it has log4j-1.2.17... Is ok 2 use. I know the CVE was against 2.0 fwd but not knowing if something was backported to 1.2 ?
Thanks, Steve
log4j Version 1.2 is definitely *NOT* OK to use.
The Apache website https://logging.apache.org/log4j/1.2/ says: "On August 5, 2015 the Logging Services Project Management Committee announced that Log4j 1.x had reached end of life."
There is already an unpatched CVE from 2019 for log4j 1.2.
It's really time to upgrade.
Kind regards, Steve
This is the standard version that comes with CentOS 7 and is the latest available as of a yum update just now. log4j-1.2.17-16.el7_4.noarch
-- Stephen Clark NetWolves Managed Services, LLC. Sr. Applications Architect
Email Confidentiality Notice: The information contained in this transmission may contain privileged and confidential and/or protected health information (PHI) and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA). This transmission is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, dissemination, distribution, printing or copying of this transmission is strictly prohibited and may subject you to criminal or civil penalties. If you have received this transmission in error, please contact the sender immediately and delete this email and any attachments from any computer. Vaso Corporation and its subsidiary companies are not responsible for data leaks that result from email messages received that contain privileged and confidential and/or protected health information (PHI).