Issue
I am using log4j 1.2.16. I am using this with maven selenium testng java project. I am looking for a solution without upgrading the version of log4j.
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.16</version>
</dependency>
Solution
The other answer is not correct. There is also a vulnerability for Version 1.x. CVE-2021-4104 https://access.redhat.com/security/cve/CVE-2021-4104:
A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker's JMS Broker.
For the mitigation of this vulnerability:
These are the possible mitigations for this flaw for releases version 1.x:
- Comment out or remove JMSAppender in the Log4j configuration if it is used
- Remove the JMSAppender class from the classpath. For example:
zip -q -d log4j-*.jar org/apache/log4j/net/JMSAppender.class
- Restrict access for the OS user on the platform running the application to prevent modifying the Log4j configuration by the attacker.
Answered By - Eray Tufan