CVE-2021-44228 and log4j 1.2.17

Question

I am on log4j 1.2.17, we use (apache-log4j-extras as well - same version).

Could you please advice me if CVE-2021-44228 impacts this version or not?

Thanks

Answer 1

As mentioned by MA, as log4j 1.x does not offer a look up mechanism, it does not suffer from CVE-2021-44228. See also https://www.slf4j.org/log4shell.html

It should also be mentioned that the reload4j project fixes outstanding vulnerabilities with log4j 1.x.

Answer 2

For versions 1.x.x of log4j you are vulnerable only if you are using a JMS Appender in your log4j configuration. Description of the vulnerability and possible mitigations of cve-2021-44228 are explained here.

Answer 3

The specific vulnerability is not present there. See http://slf4j.org/log4shell.html:

Is log4j 1.x vulnerable? As log4j 1.x does not offer a look-up mechanism, it does not suffer from CVE-2021-44228. However, note that log4j 1.x is no longer being maintained. Thus, we urge you to migrate to one of its successors such as SLF4J and logback. Do migrate without delaying too much! Given that log4j version 1.x is still very widely deployed, we have been receiving a steady stream of questions regarding the vulnerability of log4j version 1.x.

As log4j 1.x does not offer a look up mechanism, it does not suffer from CVE-2021-44228.

Having said this, log4j 1.x is no longer being maintained with all the entailed security implications. Thus, we definitely urge you to migrate to one of its successors such as SLF4J/logback, sooner rather than later. But do migrate without waiting for months! Also note that tools exist to automate the migration.