> Hello Steve, > > Am 2021-12-14 14:14, schrieb Steve Clark: >> This is the standard version that comes with CentOS 7 and is the >> latest available as of a yum update just now. >> log4j-1.2.17-16.el7_4.noarch > > yes, that's correct, but it is abandoned nonetheless. > > According to the RPM's change log, Red Hat backported a fix for > CVE-2017-5645. > They have not done this for CVE-2019-17571 it seems. > I would be very surprised if they'd do so now. It seems CVE-2019-17571 is also covered by the fix for CVE-2017-5645: https://access.redhat.com/node/4677071 Regards, Simon