ESAPI Log4J 1.x users - Please read - Log4J 1 CVE-2021-4104

27 views

Skip to first unread message

Kevin W. Wall

unread,

Dec 18, 2021, 4:29:00 PM12/18/21

to esapi-project-users

It turns out while putting together a TL;DR analysis of ESAPI and Log4Shell (which I expect to be sending out soon), that I realized that I forgot to mention a CVE regarding Log4J 1.x that I just noticed.

If you are still using the deprecated Log4J 1.x logging with ESAPI, please read this new security bulletin:

https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin6.pdf

(which applies to all versions of ESAPI) to make sure that you are not vulnerable.

Thanks,

-kevin

Blog: https://off-the-wall-security.blogspot.com/ | Twitter: @KevinWWall | OWASP ESAPI Project co-lead
NSA: All your crypto bit are belong to us.

Reply all

Reply to author

Forward

0 new messages