On 12/14/21 8:07 AM, Steve Meier wrote:
Hello Steve,
Am 2021-12-14 13:42, schrieb Steve Clark via CentOS:
Hi List,
I see on CentOS 7 it has log4j-1.2.17...
Is ok 2 use. I know the CVE was against 2.0 fwd but not knowing if
something was backported to 1.2 ?
Thanks,
Steve
log4j Version 1.2 is definitely *NOT* OK to use.
The Apache website https://logging.apache.org/log4j/1.2/ says:
"On August 5, 2015 the Logging Services Project Management Committee
announced that Log4j 1.x had reached end of life."
There is already an unpatched CVE from 2019 for log4j 1.2.
It's really time to upgrade.
Kind regards,
Steve
This is the standard version that comes with CentOS 7 and is the latest
available as of a yum update just now.
log4j-1.2.17-16.el7_4.noarch
--
Stephen Clark
NetWolves Managed Services, LLC.
Sr. Applications Architect
Email Confidentiality Notice: The information contained in this transmission may
contain privileged and confidential and/or protected health information (PHI)
and may be subject to protection under the law, including the Health Insurance
Portability and Accountability Act of 1996, as amended (HIPAA). This
transmission is intended for the sole use of the individual or entity to whom it
is addressed. If you are not the intended recipient, you are notified that any
use, dissemination, distribution, printing or copying of this transmission is
strictly prohibited and may subject you to criminal or civil penalties. If you
have received this transmission in error, please contact the sender immediately
and delete this email and any attachments from any computer. Vaso Corporation
and its subsidiary companies are not responsible for data leaks that result from
email messages received that contain privileged and confidential and/or
protected health information (PHI).