With regard to the Log4j JNDI remote code execution vulnerability that has been identified CVE-2021-44228 - (also see references) - I wondered if Log4j-v1.2 is also impacted, but the closest I got from source code review is the JMS-Appender.
The question is, while the posts on the Internet indicate that Log4j 1.2 is also vulnerable, I am not able to find the relevant source code for it.
Am I missing something that others have identified?
Log4j 1.2 appears to have a vulnerability in the socket-server class, but my understanding is that it needs to be enabled in the first place for it to be applicable and hence is not a passive threat unlike the JNDI-lookup vulnerability which the one identified appears to be.
Is my understanding - that Log4j v1.2 - is not vulnerable to the jndi-remote-code execution bug correct?
References
This blog post from Cloudflare also indicates the same point as from AKX....that it was introduced from Log4j 2!
Update #1 - A fork of the (now-retired) apache-log4j-1.2.x with patch fixes for few vulnerabilities identified in the older library is now available (from the original log4j author). The site is . As of 21-Jan-2022 version 1.2.18.2 has been released. Vulnerabilities addressed to date include those pertaining to JMSAppender, SocketServer and Chainsaw vulnerabilities. Note that I am simply relaying this information. Have not verified the fixes from my end. Please refer the link for additional details.
23 Answers
The JNDI feature was added into Log4j 2.0-beta9.
Log4j 1.x thus does not have the vulnerable code.
11While not affected by the exact same Log4Shell issue, the Apache Log4j team recommends to remove JMSAppender and SocketServer, which has a vulnerability in CVE-2019-17571, from your JAR files.
You can use the zip command to remove the affected classes. Replace the filename/version with yours:
zip -d log4j-1.2.16.jar org/apache/log4j/net/JMSAppender.class zip -d log4j-1.2.16.jar org/apache/log4j/net/SocketServer.class You can look through through the files in your zip using less and grep, e.g. less log4j-1.2.16.jar | grep JMSAppender
That being said, Apache recommends that you upgrade to the 2.x version if possible. According to their security page:
1Please note that Log4j 1.x has reached end of life and is no longer supported. Vulnerabilities reported after August 2015 against Log4j 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2 to obtain security fixes.
In addition to giraffesyo's answer and in case it helps anyone - I wrote this Bash script - which removes classes identified as vulnerabilities (link here to Log4j dev thread) and sets properties files are read-only - as suggested here on a Red Hat Bugzilla thread.
Note 1 - it does not check for any usage of these classes in properties it is purely a way to find and remove - use at own risk!
Note 2 - it depends on zip and unzip being installed
#!/bin/bash DIR=$1 APPLY=$2 # Classes to be searched for/removed CLASSES="org/apache/log4j/net/SimpleSocketServer.class org/apache/log4j/net/SocketServer.class org/apache/log4j/net/JMSAppender.class" PROGNAME=`basename $0` PROGPATH=`echo $0 | sed -e 's,[\\/][^\\/][^\\/]*$,,'` usage () { echo >&2 Usage: ${PROGNAME} DIR [APPLY] echo >&2 Where DIR is the starting directory for find echo >&2 and APPLY = "Y" - to perform purification exit 1 } # Force upper case on Apply APPLY=$(echo "${APPLY}" | tr '[:lower:]' '[:upper:]') # Default Apply to N if [ "$APPLY" == "" ] ; then APPLY="N" fi # Check parameters if [ "$DIR" == "" ] ; then usage fi echo $APPLY | grep -q -i -e '^Y$' -e '^N$' || usage # Search for log4j jar files - for class file removal FILES=$(find $DIR -name *log4j*jar) for f in $FILES do echo "Checking Jar [$f]" for jf in $CLASSES do unzip -v $f | grep -e "$jf" if [ "$APPLY" = "Y" ] then echo "Deleting $jf from $f" zip -d $f $jf fi done done # Search for Log4j properties files - for read-only setting PFILES=$(find $DIR -name *log4j*properties) for f in $PFILES do echo "Checking permissions [$f]" if [ "$APPLY" = "Y" ] then echo "Changing permissons on $f" chmod 444 $f fi ls -l $f done