[CentOS] log4j cve

Tue Dec 14 13:14:44 UTC 2021
Steve Clark <steve.clark at netwolves.com>

On 12/14/21 8:07 AM, Steve Meier wrote:

Hello Steve,

Am 2021-12-14 13:42, schrieb Steve Clark via CentOS:


Hi List,

I see on CentOS 7 it has log4j-1.2.17...
Is ok 2 use. I know the CVE was against 2.0 fwd but not knowing if
something was backported to 1.2 ?

Thanks,
Steve



log4j Version 1.2 is definitely *NOT* OK to use.

The Apache website https://logging.apache.org/log4j/1.2/ says:
"On August 5, 2015 the Logging Services Project Management Committee
  announced that Log4j 1.x had reached end of life."

There is already an unpatched CVE from 2019 for log4j 1.2.

It's really time to upgrade.

Kind regards,
   Steve



This is the standard version that comes with CentOS 7 and is the latest available as of a yum update just now.
log4j-1.2.17-16.el7_4.noarch

--
Stephen Clark
NetWolves Managed Services, LLC.
Sr. Applications Architect

Email Confidentiality Notice: The information contained in this transmission may contain privileged and confidential and/or protected health information (PHI) and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA). This transmission is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, dissemination, distribution, printing or copying of this transmission is strictly prohibited and may subject you to criminal or civil penalties. If you have received this transmission in error, please contact the sender immediately and delete this email and any attachments from any computer. Vaso Corporation and its subsidiary companies are not responsible for data leaks that result from email messages received that contain privileged and confidential and/or protected health information (PHI).