For Apache Log4j remediation priority it seems the best approach right now is:
1. log4j 2.x through 2.14 - update to 2.16
2. log4j 1.x - update to 2.16
3. log4j 2.15 - update to 2.16
33
219
876
Conversation
Replying to
logback is the real continuation of log4j1 by the original developer.
Most people would really be better off using the far simpler and dramatically lower attack surface java.util.logging from the standard library.
Fancy processing / triggers can be done separately via rsyslog.
1
2
33
Migrating from log4j1 to log4j2 could easily be a difficult task for a large project. Instead of taking a reactive approach and ending up with a far higher complexity and attack surface library, they should strongly consider using logback or java.util.logging. log4j2 is a mess.
3
2
15
logback is far closer to log4j1 than log4j2 and far lower attack surface. It was only vulnerable if the attacker had control of your configuration or you set up these rarely used features.
twitter.com/DanielMicay/st is really the way to go for most people. Keep it simple instead...
Quote Tweet
java.util.logging is easy to use and has everything you would ever need. If you want fancy processing/triggers, you should use rsyslog.
logger.warning("message");
logger.fine(() -> "lazy evaluation: " + parameter);
That high-level API dynamically adds class/method name itself.
Show this thread