There are 2 CVEs for log4j 1.2, included in SmartClient 12.1
https://nvd.nist.gov/vuln/detail/CVE-2020-9488
This vulnerability is a 3.7 (low), and is easy to mitigate by just avoiding using the SMTP appender.
https://nvd.nist.gov/vuln/detail/CVE-2019-17571
This vulnerability is a 9.8 critical. Unfortunately log4j 1.2 was end-of-lifed in 2015, and the only mitigation provided is to upgrade to log4j 2.
I've attempted using the log4j 2 backwards compatibility log4j-1.2-api, however it doesn't appear to be compatible, as I get java.lang.NoClassDefFoundError: org/apache/log4j/spi/RootLogger.
Please advise if SmartClient is vulnerable to CVE-2019-17571 due to the use of Log4j 1.2. If it has remediated this vulnerability, how? And if not, what the mitigation strategy is going forward?
https://nvd.nist.gov/vuln/detail/CVE-2020-9488
This vulnerability is a 3.7 (low), and is easy to mitigate by just avoiding using the SMTP appender.
https://nvd.nist.gov/vuln/detail/CVE-2019-17571
This vulnerability is a 9.8 critical. Unfortunately log4j 1.2 was end-of-lifed in 2015, and the only mitigation provided is to upgrade to log4j 2.
I've attempted using the log4j 2 backwards compatibility log4j-1.2-api, however it doesn't appear to be compatible, as I get java.lang.NoClassDefFoundError: org/apache/log4j/spi/RootLogger.
Please advise if SmartClient is vulnerable to CVE-2019-17571 due to the use of Log4j 1.2. If it has remediated this vulnerability, how? And if not, what the mitigation strategy is going forward?
Comment