Fork of Apache log4j with security fixes.
A new fork reload4j seems a better option and a better place to join forces to maintain a secure version of log4j 1.
https://github.com/qos-ch/reload4j
<dependency>
<groupId>com.github.albfernandez</groupId>
<artifactId>log4j</artifactId>
<version>1.2.18.ayg04</version>
</dependency>- Fixes for security vulnerabilities
- CVE-2017-5645. Remote code execution using the TCP socket server or UDP socket server
- CVE-2019-17571. SocketServer class that is vulnerable to deserialization of untrusted data
- CVE-2020-9488. Improper validation of certificate with host mismatch in Apache Log4j SMTP appender.
- CVE-2020-9493. Deserialization flaw was found in Apache Chainsaw (Removed chainsaw).
- CVE-2021-4104. Deserialization of untrusted data in JMSAppender (Removed JMSAppender.java and related JMS stuff)
- CVE-2022-23302. Deserialization of untrusted data in JMSSink (Removed JMSSink.java and related JMS stuff)
- CVE-2022-23307. Deserialization flaw was found in Apache Chainsaw (Removed chainsaw).
- CVE-2022-23305 SQL injection in JDBCAppender
- CVE-2023-26464 (Not afected beacuse this is compiled for 1.8 and cannot be run in JRE lower than 1.8)
- Prevent XXE attacks.
- Removed NTEventLogAppender.
- Removed Chainsaw.
- Removed lf5.
- Removed jmx.
- Java 11, 17 and 21 support.
- Compiled for Java 8.
- Published in maven central