[Info-vax] Issues now found in log4j version 1
Arne Vajhøj
arne at vajhoej.dk
Tue Feb 8 10:07:13 EST 2022
On 2/8/2022 8:57 AM, Simon Clubley wrote:
> On 2022-02-07, Arne Vajhøj <arne at vajhoej.dk> wrote:
>> On 2/7/2022 1:23 PM, Simon Clubley wrote:
>>> Issues have now been found in version 1 of log4j. This is the older
>>> version that was previously not considered to be vulnerable.
>>>
>>> Details in:
>>>
>>> https://access.redhat.com/errata/RHSA-2022:0442
>>
>> The older version that reached project EOL in 2015.
>>
>> Redhat has released a fix anyway.
>
> When you consider that Redhat routinely backport security fixes to
> older versions of software, that's probably not as unusual as it seems.
True.
But the users of log4j 1.x has accepted a risk
by using an EOL product and bot all of them are
Redhat customers.
>> There are plenty of other logging frameworks out there.
>>
>> Java: jul, logback etc.
>> .NET: log4net, NLog etc.
>> PHP: log4php, Monolog etc.
>> Etc.
>
> In addition to those, there are also the public facing loggers that
> exist within an operating system itself.
You mean Windows event log, *nix syslog, VMS various (operator log,
audit log etc.)?
Arne
More information about the Info-vax
mailing list