I want to use log4j library for my web app that is created with Java 6. Which version is safe for me ? Do you recommend log4j or log4j2 considering their vulnerabilities and security issues?

CodePudding user response：

No versions of log4j 1.x are safe. It is end-of-life, and there are vulnerabilities that have not been patched. For log4 2.x, the best advice us to use the most recent version.

See https://www.petefreitag.com/item/926.cfm for a list of recent log4j 1.x and 2.x vulnerabilities and their patch status.

I want to use log4j library for my web app that is created with Java 6.

The version of Java that your webapp was "created with" is not relevant from a security perspective. However, you should not use Java 6 or Java 7 to run your applications. They are both end-of-life, and you can only get security patches under a (paid) maintenance contract.

Do you recommend log4j or log4j2 considering their vulnerabilities and security issues?

Log4j2 is recommended. Log4j is end-of-life, and they have stopped publishing official security patches.

CodePudding user response：

This page provides information about security for log4j2. Version 2.3.2 solved an important security issue for Java 6. From that point it is safer than other versions. It is also a very widely used library supported by a strong community.

However, determining if a library , like log4j2, is secure enough for a specific application highly depends on the application's security requirements.

Given the wide usage of log4j2 it seems that most people consider it secure enough for many applications.