GithubHelp home page GithubHelp logo

albfernandez / log4j Goto Github PK

View Code? Open in Web Editor NEW

This project forked from apache/logging-log4j1

6.0 6.0 3.0 13.25 MB

Mirror of Apache log4j

License: Apache License 2.0

Java 91.64% HTML 0.77% CSS 0.24% Roff 7.25% Raku 0.11%

log4j's Introduction

Hi there ๐Ÿ‘‹

log4j's People

Contributors

albfernandez avatar consultantleon avatar garydgregory avatar grobmeier avatar pfumagalli avatar rgoers avatar scottdeboy avatar tallpsmith avatar yoavshapira avatar

Stargazers

avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar

Forkers

anlon-burke consultantleon busterb

log4j's Issues

CVE-2021-44228 -> please remove JMSAppender for log4j 1.2.7

Reading

https://lists.apache.org/thread/lgbtvvmy68p0059yoyn9qxzosdmx4jdv
and

I conclude that log4j 1.2.7 is not directly vulnerable to CVE-2021-44228 .

However
http://slf4j.org/log4shell.html
describes a less easy to exploit potential vulnerability related to the JMSAppender and a JNDI lookup.

As this CVE is currently receiving a lot of attention, it seems best to to address that vulnerability in log4j 1.2.7 to put the mind of our customers at ease completely.

Simply removing the JMSAppender class seems sufficient I think.

CVE-2022-23305 SQL injection in JDBCAppender

CVE-2022-23305

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.