tag 1001684 -moreinfo +upstream
severity 1001684 wishlist
thanks

> I only stumbled upon this when examining our servers for instances
> vulnerable to CVE-2021-44228. Forums seem to claim that versions log4j
> versions 1 are not safe either (different vulnerabilities), but without
> giving any specifics. However, log4j team itself says versions 1.x are
> "end of life" and should be avoided. So, it's more a case of "better be
> safe than sorry" than any concrete exploit.
>
> Also, since a while already, Java now has its own internal logging
> framework (java.util.logging.Logger), so there should be less and less
> reason to use potentially unsafe third-party logging libraries (but
> switching to java's internal logging might be more difficult to do in
> the short run than just upgrading to a newer version).

I'll try to report this upstream.

Alex

Reply via email to