Skip to content

Log4j vulnerability – Is Log4j 1.2.17 vulnerable (was unable to find any JNDI code in source)?

With regard to the Log4j JNDI remote code execution vulnerability that has been identified CVE-2021-44228 – (also see references) – I wondered if Log4j-v1.2 is also impacted, but the closest I got from source code review is the JMS-Appender.

The question is, while the posts on the Internet indicate that Log4j 1.2 is also vulnerable, I am not able to find the relevant source code for it.

Am I missing something that others have identified?

Log4j 1.2 appears to have a vulnerability in the socket-server class, but my understanding is that it needs to be enabled in the first place for it to be applicable and hence is not a passive threat unlike the JNDI-lookup vulnerability which the one identified appears to be.

Is my understanding – that Log4j v1.2 – is not vulnerable to the jndi-remote-code execution bug correct?

References

This blog post from Cloudflare also indicates the same point as from AKX….that it was introduced from Log4j 2!

Update #1 – A fork of the (now-retired) apache-log4j-1.2.x with patch fixes for few vulnerabilities identified in the older library is now available (from the original log4j author). The site is https://reload4j.qos.ch/. As of 21-Jan-2022 version 1.2.18.2 has been released. Vulnerabilities addressed to date include those pertaining to JMSAppender, SocketServer and Chainsaw vulnerabilities. Note that I am simply relaying this information. Have not verified the fixes from my end. Please refer the link for additional details.

Answer

The JNDI feature was added into Log4j 2.0-beta9.

Log4j 1.x thus does not have the vulnerable code.