I am going to use log4j version 2.3.2 . is it safe for me? [closed]

Question

I want to use log4j library for my web app that is created with Java 6. Which version is safe for me ? Do you recommend log4j or log4j2 considering their vulnerabilities and security issues?

Answer 1

No versions of log4j 1.x are safe. It is end-of-life, and there are vulnerabilities that have not been patched. For log4 2.x, the best advice us to use the most recent version.

At the time of writing this (2021-03-14), https://logging.apache.org/log4j/2.x/security.html says that log4j 2.3.2 is safe if you are running the code on a Java 6 JVM. But if you intend to run on a more recent JVM, the latest security patch is advisable.

See https://www.petefreitag.com/item/926.cfm for a list of recent log4j 1.x and 2.x vulnerabilities and their patch status.

---

I want to use log4j library for my web app that is created with Java 6.

The version of Java that your webapp was "created with" is not relevant from a security perspective. However, you should not use Java 6 or Java 7 to run your applications. They are both end-of-life, and you can only get security patches under a (paid) maintenance contract.

Do you recommend log4j or log4j2 considering their vulnerabilities and security issues?

Log4j2 is recommended. Log4j is end-of-life, and they have stopped publishing official security patches.

Answer 2

Using log4j2 instead of log4j is highly recommended. This page provides information about security for log4j2.

Log4j2 is a widely used library supported by a strong community.

However, determining if a library , like log4j2, is secure enough for a specific application depends on the application's security requirements.

Given the wide usage of log4j2 it seems that most people consider it secure enough.

Theoretically, the safest approach would be to use the latest log4j2 version in the latest LTS Java version possible so that your application takes advantage of all applied security improvements.