Log4J on Linux & Windows

In regarding to Log4J issue - https://www.wired.com/story/log4j-flaw-hacking-internet/https://www.wired.com/story/log4j-flaw-hacking-internet/

From the Thread “Java Zero Day Question” Kevin.Herron mentioned
7.9 and 8.x don’t use Log4J.

But
I have Ignition 7.9 on Debian Linux
I see
./etc/ignition/log4j.properties
./var/lib/ignition/data/log4j.properties

is the Ignition 8.x on Windows and Linux are using the same logback ? so we can cross out
Ignition 8.x

For Ignition 7.9 Windows, how do we check for Log4J?

Tks
John

Nothing to worry about, we don’t use log4j as the logging backend. The log4j.properties files are artifacts from the past and are not used.

2 Likes

Excellent, Thanks Kevin.

So we can ignore both Windows and Linux based Ignition for both 7.9 and 8.1

Tks

J.

Yes, should be good to go. The last version of Ignition that used log4j was 7.8, and it used something like log4j version 1.2.x, which isn’t affected by this CVE.

Those who snoop around may find an artifact called log4j-over-slf4j, but this just a bridge that let us move from log4j to slf4j/logback without modifying every single file that had used a log4j logger.

4 Likes

I would like to be 100% certain on this topic…can this please be clarified? The following library is running on our test and production Ignition servers. It is not part of this CVE?

/usr/local/bin/ignition/lib/core/common/log4j-over-slf4j-1.7.26.jar

Thank you in advance!

As @Kevin.Herron said, this is just a bridge that let them move from log4j to slf4j easily.

1 Like