[Info-vax] Issues now found in log4j version 1
Arne Vajhøj
arne at vajhoej.dk
Mon Feb 7 13:50:51 EST 2022
On 2/7/2022 1:23 PM, Simon Clubley wrote:
> Issues have now been found in version 1 of log4j. This is the older
> version that was previously not considered to be vulnerable.
>
> Details in:
>
> https://access.redhat.com/errata/RHSA-2022:0442
The older version that reached project EOL in 2015.
Redhat has released a fix anyway.
The 3 issues cover:
* JDBC appender (application slogging to database)
* JMS sink tool that process log events from MQ (put there by JMS appender)
* Chainsaw that is a GUI to view and search log files
All 3 may be somewhat rare cases. But if number of application using
log4j 1.x are measured in hundreds of thousands then a vulnerability
only impacting 1% of users is still a lot of users.
> I wonder when the next logging vulnerability will be found and if
> it will be log4j or something else ?
Classic question: if you have found a lot of bugs in a program do you
assume there are still many bugs to be found (due to poor quality) or
few bugs to be found (because the bugs have been found)?
There are plenty of other logging frameworks out there.
Java: jul, logback etc.
.NET: log4net, NLog etc.
PHP: log4php, Monolog etc.
Etc.
Arne
More information about the Info-vax
mailing list