albfernandez / log4j Goto Github PK
View Code? Open in Web Editor NEWThis project forked from apache/logging-log4j1
Mirror of Apache log4j
License: Apache License 2.0
This project forked from apache/logging-log4j1
Mirror of Apache log4j
License: Apache License 2.0
Reading
https://lists.apache.org/thread/lgbtvvmy68p0059yoyn9qxzosdmx4jdv
and
I conclude that log4j 1.2.7 is not directly vulnerable to CVE-2021-44228 .
However
http://slf4j.org/log4shell.html
describes a less easy to exploit potential vulnerability related to the JMSAppender and a JNDI lookup.
As this CVE is currently receiving a lot of attention, it seems best to to address that vulnerability in log4j 1.2.7 to put the mind of our customers at ease completely.
Simply removing the JMSAppender class seems sufficient I think.
By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.