Short answer: no. SavaPage uses an older log4j 1.2.17 version. This version does support JNDI options in its JMS (Java Message Service) appender, but this appender is not used by SavaPage.
1 Like
But there are a lot of log4j CVEs!
- cve.ics-csirt io/cve?vendor=apache&product=log4j
- cve.mitre org/cgi-bin/cvekey.cgi?keyword=Apache%20Log4J
Another one in few days, to fix nvd.nist gov/vuln/detail/CVE-2021-44832:
- logging.apache org/log4j/2.x/security.html
Only recent CVEs:
- CVE-2021-4104
- CVE-2021-44228
- CVE-2021-44832
- CVE-2021-45046
- CVE-2021-45105
Note that there is a logback CVE too:
- CVE-2021-42550
And previously slf4j etc.
@Neustradamus Yes, there are a many log4j 2.x CVEs. Could you be more specific about log4j 1.2.17 vulnerabilities that might affect SavaPage?