-
Task
-
Resolution: Done
-
Major
-
None
-
None
-
False
-
False
-
We need to document the changes to Log4j 1.2.17 in this release. Some Appenders have been changed and some removed. The details are given below:
==============
Provide fixes on all CVEs based on existing fixes (CVE-2017-5645) or fixes made available in reload4j.
| CVE | Affected Class | Remedy |
| CVE-2021-4104 | JMSAppender | Only allow for “java:” namespace lookups |
| CVE-2022-23302 | JMSSink | Removed (users can either use community log4j or reload4j instead) |
| CVE-2022-23305 | JDBCAppender | Refactored to use named parameters |
| CVE-2022-23307 | LogginReceiver (/ Chainsaw) | Hardened with “org.apache.log4j.net.allowedClasses” system property |
| CVE-2020-9488 | SMTPAppender | Implemented SSL check |
| XXL XXL attack [1] | DOMConfigurator | Fixed |
| CVE-2019-17571 (/ CVE-2017-5645) | SocketNode (/ SocketServer) | Hardened with “org.apache.log4j.net.allowedClasses” system property |
- While currently not marked as a CVE it is likely to become one.
Code is available for perusal at:
