Home > Software design >  Log4j 1: How to mitigate the vulnerability in log4j without updating version to 2.15.0
Log4j 1: How to mitigate the vulnerability in log4j without updating version to 2.15.0

Time:12-13

I am using log4j 1.2.16. I am using this with maven selenium testng java project. I am looking for a solution without upgrading the version of log4j.

<dependency>
    <groupId>log4j</groupId>
    <artifactId>log4j</artifactId>
    <version>1.2.16</version>
</dependency>

CodePudding user response:

Since you're using log4j 1, the specific vulnerability is not present there. See http://slf4j.org/log4shell.html:

Is log4j 1.x vulnerable? As log4j 1.x does not offer a look-up mechanism, it does not suffer from CVE-2021-44228. However, note that log4j 1.x is no longer being maintained. Thus, we urge you to migrate to one of its successors such as SLF4J and logback. Do migrate without delaying too much! Given that log4j version 1.x is still very widely deployed, we have been receiving a steady stream of questions regarding the vulnerability of log4j version 1.x.

As log4j 1.x does not offer a look up mechanism, it does not suffer from CVE-2021-44228.

Having said this, log4j 1.x is no longer being maintained with all the entailed security implications. Thus, we definitely urge you to migrate to one of its successors such as SLF4J/logback, sooner rather than later. But do migrate without waiting for months! Also note that tools exist to automate the migration.

Page link:https//www.codepudding.com/Softwaredesign/226158.html

Prev:mean imputation by filling in missing dates and by symetrically iterating over dates up and down to
Next:Python Selenium check all checkboxes on page
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding