With regard to the log4j jndi remote code execution vulnerability that has been identified CVE-2021-44228 – (also see references) – wondered if Log4j-v1.2 is also impacted but the closest I got from source code review is the JMS-Appender.
The question is, while the posts on the internet indicate that Log4j-1.2 is also vulnerable, am not able to find the relevant source code for it.
Am I missing something that others have identified?
Log4j1.2 appears to have a vulnerability in the socket-server class but my understanding is that it needs to be enabled in the first place for it to be applicable and hence is not a passive threat unlike the jndi-lookup vulnerability which the one identified appears to be.
Is my understanding – that Log4j-v1.2 – is not vulnerable to the jndi-remote-code execution bug correct?
References –
https://logging.apache.org/log4j/2.x/security.html
https://www.cyberkendra.com/2021/12/worst-log4j-rce-zeroday-dropped-on.html
Update #1 – This blog post from cloudflare also indicates the same point as from AKX….that it was introduced from log4j2 !
>Solution :
The JNDI feature was added into log4j 2.0-beta9.
log4j 1.x thus does not have the vulnerable code.