[CentOS] log4j cve

Tue Dec 14 13:07:27 UTC 2021
Steve Meier <email at steve-meier.de>

Hello Steve,

Am 2021-12-14 13:42, schrieb Steve Clark via CentOS:
> Hi List,
> I see on CentOS 7 it has log4j-1.2.17...
> Is ok 2 use. I know the CVE was against 2.0 fwd but not knowing if
> something was backported to 1.2 ?
> Thanks,
> Steve

log4j Version 1.2 is definitely *NOT* OK to use.

The Apache website https://logging.apache.org/log4j/1.2/ says:
"On August 5, 2015 the Logging Services Project Management Committee
  announced that Log4j 1.x had reached end of life."

There is already an unpatched CVE from 2019 for log4j 1.2.

It's really time to upgrade.

Kind regards,