Presence of log4j Vulnerable classes in latest (1.3.0.Final) log4j-jboss-logmanager.jar

[Sanjay]

With the latest release of log4j-jboss-logmanager.jar even though some of the vulnerable classes like org/apache/log4j/chainsaw, org/apache/log4j/jdbc, JMSSink.class are removed, we still see some more vulnerable classes shipped with the latest version. Attached is the list of classes found in the latest jar below along with the corresponding CVE.

 *     org/apache/log4j/net/SMTPAppender.class # CVE-2020-9488
 *     org/apache/log4j/net/SMTPAppender$1.class # CVE-2020-9488
 *     org/apache/log4j/net/SocketNode.class # CVE-2019-17571
 *     org/apache/log4j/net/SocketServer.class # CVE-2019-17571
 *     org/apache/log4j/net/SocketAppender.class # CVE-2019-17571
 *     org/apache/log4j/net/SocketAppender$Connector.class # CVE-2019-17571

Is there any plans to remove them as well in future releases of log4j-jboss-logmanager?

[Brian Stansberry]

I don't know for sure about plans to remove these from the project (although my outsider's guess is not), but re these CVEs:

https://github.com/jboss-logging/log4j-jboss-logmanager/commit/2b425859f4218b32fe450fe4de5cfeeea1564ab3 is a backport of the equivalent log4j 2 CVE-2017-5645, so I believe jboss-log4j-logmanager is not affected.since 1.1.4.

The SMTPAppender class in jboss-log4j-logmanager is not the shaded one from Apache Log4j 1, it's a fork

https://github.com/jboss-logging/log4j-jboss-logmanager/commits/1.3.0.Final/src/main/java/org/apache/log4j/net/SMTPAppender.java

The reason it was forked was to address CVE-2020-9488, so jboss-log4j-logmanager is not affected.

[James Perkins]

There are currently no plans to remove these from the library as the CVE's have been fixed in the project.