Does the Log4j security violation vulnerability affect log4net?

Question

I have recently read about the zero-day issue in Log4J. I work with a few applications, written with .NET, that use the log4net logging library, which is based on Log4j.

Does log4net have any similar security vulnerabilities as the CVE-2021-44228 vulnerability to Log4j?

Answer 1

No, it is specific to Log4j-core. Please see CVE-2021-44228 Detail (NIST).

Answer 2

Vulnerability Details: CVE-2021-44228 (CVE Details) and CVE-2021-44228 (CVE) have the following note:

Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

So, no. Log4Net is fine.

Answer 3

Apparently it has to use JNDI and JVM. Ports are clear if they don't use those.

Does CVE-2021-44228 impact Log4j ports?

Answer 4

Does log4net have any similar security vulnerabilities as the CVE-2021-44228 vulnerability to Log4j?

I don't believe so. If they did, it would be a coincidence. I don't think they share code.

Answer 5

Long ago I was programming C++ when I found out that the C++ package I was using to access the database was just a wrapper for Java code.

The fact that the security bug exists in a Java-only core part of Log4j doesn't mean that Log4Net is bug-free and safe. It might just as well have other security issues.

In fact, any piece of software can have vulnerabilities and probably has them too. It isn't just a problem with Log4j or Log4net but a problem with any package we quickly accept and put our trust in.