Hello Steve, Am 2021-12-14 13:42, schrieb Steve Clark via CentOS: > Hi List, > > I see on CentOS 7 it has log4j-1.2.17... > Is ok 2 use. I know the CVE was against 2.0 fwd but not knowing if > something was backported to 1.2 ? > > Thanks, > Steve log4j Version 1.2 is definitely *NOT* OK to use. The Apache website https://logging.apache.org/log4j/1.2/ says: "On August 5, 2015 the Logging Services Project Management Committee announced that Log4j 1.x had reached end of life." There is already an unpatched CVE from 2019 for log4j 1.2. It's really time to upgrade. Kind regards, Steve