Skip to content

Instantly share code, notes, and snippets.

@noperator
Last active December 29, 2021 09:41
Show Gist options
  • Save noperator/d360de81c061bc9c628b12d3f0e1e479 to your computer and use it in GitHub Desktop.
Save noperator/d360de81c061bc9c628b12d3f0e1e479 to your computer and use it in GitHub Desktop.
Emerging threat details on CVE-2021-44228 in Apache Log4j

Update: Please see Bishop Fox's rapid response post Log4j Vulnerability: Impact Analysis for latest updates about this vulnerability.

Technologies using Apache Log4j

The Cosmos 🌌 team at Bishop Fox 🦊 is currently researching open-source projects that appear to use Log4j by default.

  • Apache Druid
  • Apache Dubbo
  • Apache Flink
  • Apache Flume
  • Apache Hadoop
  • Apache Kafka
  • Apache Solr
  • Apache Spark
  • Apache Struts
  • Apache Tapestry
  • Apache Wicket
  • Elastic Elasticsearch
  • Elastic Logstash
  • Ghidra
  • Grails
  • Minecraft

The following projects don't appear to use Log4j by default, though they may optionally be configured to use it.

  • Apache Tomcat
  • Dropwizard
  • Elastic Kibana
  • Hibernate
  • JavaServer Faces
  • Oracle ATG Web Commerce
  • Spring Framework

Acknowledgements

Thanks to @sshell for the deep dive on this list.

See also

@surbhik10
Copy link

Kindly confirm if Apache Subversion is affected

@jameskirsop
Copy link

Please add Graylog to this list, as per my fork.

@max19931
Copy link

https://github.com/apache/log4j/network/dependents has a even longer and more uptodate list

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment