The official website. The vulnerability was introduced in 2.0-beta7 which was released in 2013. Source: about 1 year ago
What you need is log4j-core, what you downloaded is some kind of connector between log4j and JUL. Tbh I don't know what JUL is, but that's not important. You can get log4j-core on from the official website - https://logging.apache.org/log4j/2.x/ or in maven repo. In case you're not using maven, I highly, highly recommend you using it for managing your dependencies. Source: about 1 year ago
Log4J(https://logging.apache.org/log4j/2.x/) is a Java-based logging framework. It is a part of Apache Logging Services. It was also the most popular and widely used Java logging solution until the exposure of its Log4Shell vulnerability last year. - Source: dev.to / over 1 year ago
Almost nothing is more ubiquitous in applications than logging libraries. No matter which type of application - hastily thrown-together prototypes, decades-old enterprise monoliths, newly built event-driven serverless apps - there is always the need to log. Even in non-production-grade applications where standard observability patterns such as monitoring and alerting might not be applied - logging is usually... - Source: dev.to / about 2 years ago
Most applications currently use Log4J2 or SLF4J. Both provide a compatible System.Logger implementation. - Source: dev.to / about 2 years ago
Latest version with fixes is 2.17.1 according to their site. Https://logging.apache.org/log4j/2.x/. Source: over 2 years ago
Apache's homepage for Log4j states "Log4j2 versions 2.0-beta7 through 2.17.0 are vulnerable" to this attack and the best course of action is to update to at least 2.17.1. Even version 2.16 was found to have a denial of service vulnerability. So unless you want your poor computer to receive all the requests in the known universe and crash, you need at least version 2.17.1. Meanwhile I'm sitting here doing a... Source: over 2 years ago
Log4j 2.17.1 was released because a new vulnerability on RCE (Remote Code Execution) had been found in 2.17.0. (CVE-2021-4483). - Source: dev.to / over 2 years ago
TWS 1012 and TWS 981 as of todays installer 12-27-2021, use log4j-api-2.16.0.jar and log4j-core-2.16.0.jar, which per https://logging.apache.org/log4j/2.x/ "2.16.0 did not protect from uncontrolled recursion from self-referential lookups ". Source: over 2 years ago
The Log4j vulnerability tracked as CVE-2021-44228 (also known as Log4Shell) allows an attacker to execute arbitrary code in a system. If your application uses Log4j from version 2.0-alpha1 to 2.14.1, you should update to the latest version (2.16.0 at the time of writing this) as soon as possible. - Source: dev.to / over 2 years ago
Log4j 2.17.0 was released due to security reason. It fixes DoS (denial-of-service) vulnerability in 2.16.0 and below on v2. - Source: dev.to / over 2 years ago
Before we get to the video links, here is the Apache Log4j 2 website for official news and updates: https://logging.apache.org/log4j/2.x/. Source: over 2 years ago
But, Apache says Log4j 2.15 is still vulnerable and we have to use 2.16: Link to Apache Log4j page. Source: over 2 years ago
I recommend checking out the official Apache log4j page. This is where I am basing my information. Someone please correct me if I'm wrong. Https://logging.apache.org/log4j/2.x/. Source: over 2 years ago
The current recommended action for all those impacted by CVE-2021-44228 or CVE-2021-45046 is to update to Log4j 2.16.0or higher. Source: over 2 years ago
As to Log4j, found and reported was the new vulnerability also in 2.15.0 as CVE-2021-45046. It was fixed in the next 2.16.0 released in 13 Dec 2021. Well, it is less severe than one in 2.14.0 and above aka log4shell. - Source: dev.to / over 2 years ago
And Log4j already has a patch in place in the latest version. (bottom of page). Source: over 2 years ago
The mitigation from the log4j site (see the bottom under "CVE-2021-44228") is "to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class". Source: over 2 years ago
Caused by Apache Log4j's JNDI ("Java Naming and Directory Interface") features. - Source: dev.to / over 2 years ago
Today, our company detected attack trials on Apache Log4j RCE vulnerability (CVE-2021-44228) due to its JNDI ("Java Naming and Directory Interface") features to one of our servers in Swiss:. - Source: dev.to / over 2 years ago
That video explained nothing. Also it's a vulnerability in Apache's Log4J, not Java. Source: over 2 years ago
Do you know an article comparing Apache Log4j to other products?
Suggest a link to a post with product alternatives.
This is an informative page about Apache Log4j. You can review and discuss the product here. The primary details have not been verified within the last quarter, and they might be outdated. If you think we are missing something, please use the means on this page to comment or suggest changes. All reviews and comments are highly encouranged and appreciated as they help everyone in the community to make an informed choice. Please always be kind and objective when evaluating a product and sharing your opinion.
