noperator/log4j.md

Last active December 29, 2021 09:41

Star () You must be signed in to star a gist
Fork () You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/noperator/d360de81c061bc9c628b12d3f0e1e479.js"></script>
Save noperator/d360de81c061bc9c628b12d3f0e1e479 to your computer and use it in GitHub Desktop.

Download ZIP

Emerging threat details on CVE-2021-44228 in Apache Log4j

Raw

Update: Please see Bishop Fox's rapid response post Log4j Vulnerability: Impact Analysis for latest updates about this vulnerability.

Technologies using Apache Log4j

The Cosmos 🌌 team at Bishop Fox 🦊 is currently researching open-source projects that appear to use Log4j by default.

Apache Druid
Apache Dubbo
Apache Flink
Apache Flume
Apache Hadoop
Apache Kafka
Apache Solr
Apache Spark
Apache Struts
Apache Tapestry
Apache Wicket
Elastic Elasticsearch
Elastic Logstash
Ghidra
Grails
Minecraft

The following projects don't appear to use Log4j by default, though they may optionally be configured to use it.

Apache Tomcat
Dropwizard
Elastic Kibana
Hibernate
JavaServer Faces
Oracle ATG Web Commerce
Spring Framework

Acknowledgements

Thanks to @sshell for the deep dive on this list.

See also

surbhik10 commented Dec 12, 2021

Kindly confirm if Apache Subversion is affected

jameskirsop commented Dec 13, 2021

Please add Graylog to this list, as per my fork.

max19931 commented Dec 13, 2021

https://github.com/apache/log4j/network/dependents has a even longer and more uptodate list

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment