I want to use log4j library for my web app that is created with Java 6. Which version is safe for me ? Do you recommend log4j or log4j2 considering their vulnerabilities and security issues?
CodePudding user response:
No versions of log4j 1.x are safe. It is end-of-life, and there are vulnerabilities that have not been patched. For log4 2.x, the best advice us to use the most recent version.
See https://www.petefreitag.com/item/926.cfm for a list of recent log4j 1.x and 2.x vulnerabilities and their patch status.
I want to use log4j library for my web app that is created with Java 6.
The version of Java that your webapp was "created with" is not relevant from a security perspective. However, you should not use Java 6 or Java 7 to run your applications. They are both end-of-life, and you can only get security patches under a (paid) maintenance contract.
Do you recommend log4j or log4j2 considering their vulnerabilities and security issues?
Log4j2 is recommended. Log4j is end-of-life, and they have stopped publishing official security patches.
CodePudding user response:
This page provides information about security for log4j2. Version 2.3.2 solved an important security issue for Java 6. From that point it is safer than other versions. It is also a very widely used library supported by a strong community.
However, determining if a library , like log4j2, is secure enough for a specific application highly depends on the application's security requirements.
Given the wide usage of log4j2 it seems that most people consider it secure enough for many applications.