tag 1001684 -moreinfo +upstream severity 1001684 wishlist thanks > I only stumbled upon this when examining our servers for instances > vulnerable to CVE-2021-44228. Forums seem to claim that versions log4j > versions 1 are not safe either (different vulnerabilities), but without > giving any specifics. However, log4j team itself says versions 1.x are > "end of life" and should be avoided. So, it's more a case of "better be > safe than sorry" than any concrete exploit. > > Also, since a while already, Java now has its own internal logging > framework (java.util.logging.Logger), so there should be less and less > reason to use potentially unsafe third-party logging libraries (but > switching to java's internal logging might be more difficult to do in > the short run than just upgrading to a newer version).
I'll try to report this upstream. Alex

