Name		Name	Last commit message	Last commit date
Latest commit History 3,360 Commits
.github/workflows		.github/workflows
src		src
tests		tests
.gitignore		.gitignore
INSTALL		INSTALL
LICENSE		LICENSE
NOTICE		NOTICE
README.md		README.md
pom.xml		pom.xml

Repository files navigation

log4j

Fork of Apache log4j with security fixes.

A new fork reload4j seems a better option and a better place to join forces to maintain a secure version of log4j 1.

https://github.com/qos-ch/reload4j

Get with maven

<dependency>
    <groupId>com.github.albfernandez</groupId>
    <artifactId>log4j</artifactId>
    <version>1.2.18.ayg04</version>
</dependency>

Changes from 1.2.17

Fixes for security vulnerabilities
- CVE-2017-5645. Remote code execution using the TCP socket server or UDP socket server
- CVE-2019-17571. SocketServer class that is vulnerable to deserialization of untrusted data
- CVE-2020-9488. Improper validation of certificate with host mismatch in Apache Log4j SMTP appender.
- CVE-2020-9493. Deserialization flaw was found in Apache Chainsaw (Removed chainsaw).
- CVE-2021-4104. Deserialization of untrusted data in JMSAppender (Removed JMSAppender.java and related JMS stuff)
- CVE-2022-23302. Deserialization of untrusted data in JMSSink (Removed JMSSink.java and related JMS stuff)
- CVE-2022-23307. Deserialization flaw was found in Apache Chainsaw (Removed chainsaw).
- CVE-2022-23305 SQL injection in JDBCAppender
- CVE-2023-26464 (Not afected beacuse this is compiled for 1.8 and cannot be run in JRE lower than 1.8)
- Prevent XXE attacks.
Removed NTEventLogAppender.
Removed Chainsaw.
Removed lf5.
Removed jmx.
Java 11, 17 and 21 support.
Compiled for Java 8.
Published in maven central

About

Mirror of Apache log4j

Apache-2.0 license

Report repository

Releases 4

Version 1.2.18.ayg04 Latest

Packages

No packages published

Languages

Java 91.7%
Roff 7.2%
Other 1.1%