Hacker News new | ask | show | jobs
by pqyzwbq 1659 days ago
Do anyone know if I depends on the following 2: - org.apache.logging.log4j:log4j-api - org.apache.logging.log4j:log4j-to-slf4j

But without dependency on - org.apache.logging.log4j:log4j-core

in this situation, is this safe from this RCE? Thanks.

Edit, This may affect both log4j 2.x and log4j 1.x (see comments bellow, thanks.)
2 comments
agwa 1659 days ago
> By the way. This only affect log4j 2.x (https://github.com/apache/logging-log4j2). the log4j 1.x (https://github.com/apache/log4j) is not affected.

That's not what https://github.com/apache/logging-log4j2/pull/608#issuecomme... says

link
pqyzwbq 1659 days ago
OK, thanks, didn't notice this when I read it.
link
pqyzwbq 1659 days ago
Noticed this is answered in: https://github.com/apache/logging-log4j2/pull/608#issuecomme...

``` I believe that applications that use log4j-api with log4j-to-slf4j, without using log4j-core, are not impacted by this vulnerability. (Because the lookup and JNDI implementations are in log4j-core.)

```

link