I have recently read about the zero-day issue in Log4J. I work with a few applications, written with .NET, that use the log4net logging library, which is based on Log4j.

Does log4net have any similar security vulnerabilities as the CVE-2021-44228 vulnerability to Log4j?

1

5 Answers

Vulnerability Details: CVE-2021-44228 (CVE Details) and CVE-2021-44228 (CVE) have the following note:

Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

So, no. Log4Net is fine.

Apparently it has to use JNDI and JVM. Ports are clear if they don't use those.

Does CVE-2021-44228 impact Log4j ports?

No, it is specific to Log4j-core. Please see CVE-2021-44228 Detail (NIST).

Long ago I was programming C++ when I found out that the C++ package I was using to access the database was just a wrapper for Java code.

The fact that the security bug exists in a Java-only core part of Log4j doesn't mean that Log4Net is bug-free and safe. It might just as well have other security issues.

In fact, any piece of software can have vulnerabilities and probably has them too. It isn't just a problem with Log4j or Log4net but a problem with any package we quickly accept and put our trust in.

4

Does log4net have any similar security vulnerabilities as the CVE-2021-44228 vulnerability to Log4j?

I don't believe so. If they did, it would be a coincidence. I don't think they share code.

1

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password Submit

Post as a guest

Post Your Answer Discard

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy