Is SavaPage affected by the log4j shell vulnerability?

Short answer: no. SavaPage uses an older log4j 1.2.17 version. This version does support JNDI options in its JMS (Java Message Service) appender, but this appender is not used by SavaPage.

1 Like

But there are a lot of log4j CVEs!

  • cve.ics-csirt io/cve?vendor=apache&product=log4j
  • cve.mitre org/cgi-bin/cvekey.cgi?keyword=Apache%20Log4J

Another one in few days, to fix nvd.nist gov/vuln/detail/CVE-2021-44832:

  • logging.apache org/log4j/2.x/security.html

Only recent CVEs:

  • CVE-2021-4104
  • CVE-2021-44228
  • CVE-2021-44832
  • CVE-2021-45046
  • CVE-2021-45105

Note that there is a logback CVE too:

  • CVE-2021-42550

And previously slf4j etc.

@Neustradamus Yes, there are a many log4j 2.x CVEs. Could you be more specific about log4j 1.2.17 vulnerabilities that might affect SavaPage?