With regard to the log4j jndi remote code execution vulnerability that has been identified CVE-2021-44228 - (also see references) - wondered if Log4j-v1.2 is also impacted but the closest I got from source code review is the JMS-Appender.

The question is, while the posts on the internet indicate that Log4j-1.2 is also vulnerable, am not able to find the relevant source code for it.

Am I missing something that others have identified?

Log4j1.2 appears to have a vulnerability in the socket-server class but my understanding is that it needs to be enabled in the first place for it to be applicable and hence is not a passive threat unlike the jndi-lookup vulnerability which the one identified appears to be.

Is my understanding - that Log4j-v1.2 - is not vulnerable to the jndi-remote-code execution bug correct?

References -

https://logging.apache.org/log4j/2.x/security.html

https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/

https://www.cyberkendra.com/2021/12/worst-log4j-rce-zeroday-dropped-on.html

https://portswigger.net/daily-swig/log4shell-vulnerability-poses-critical-threat-to-applications-using-ubiquitous-java-logging-package-apache-log4j

Update #1 - This blog post from cloudflare also indicates the same point as from AKX....that it was introduced from log4j2 !

CodePudding user response：

The JNDI feature was added into log4j 2.0-beta9.

log4j 1.x thus does not have the vulnerable code.