Home > other >  I am going to use log4j version 2.3.2 . is it safe for me?
I am going to use log4j version 2.3.2 . is it safe for me?

Time:03-12

I want to use log4j library for my web app that is created with Java 6. Which version is safe for me ? Do you recommend log4j or log4j2 considering their vulnerabilities and security issues?

CodePudding user response:

No versions of log4j 1.x are safe. It is end-of-life, and there are vulnerabilities that have not been patched. For log4 2.x, the best advice us to use the most recent version.

See https://www.petefreitag.com/item/926.cfm for a list of recent log4j 1.x and 2.x vulnerabilities and their patch status.


I want to use log4j library for my web app that is created with Java 6.

The version of Java that your webapp was "created with" is not relevant from a security perspective. However, you should not use Java 6 or Java 7 to run your applications. They are both end-of-life, and you can only get security patches under a (paid) maintenance contract.

Do you recommend log4j or log4j2 considering their vulnerabilities and security issues?

Log4j2 is recommended. Log4j is end-of-life, and they have stopped publishing official security patches.

CodePudding user response:

This page provides information about security for log4j2. Version 2.3.2 solved an important security issue for Java 6. From that point it is safer than other versions. It is also a very widely used library supported by a strong community.

However, determining if a library , like log4j2, is secure enough for a specific application highly depends on the application's security requirements.

Given the wide usage of log4j2 it seems that most people consider it secure enough for many applications.

  • Related