Skip to content

Instantly share code, notes, and snippets.

@noperator
Last active Dec 29, 2021
Embed
What would you like to do?
Emerging threat details on CVE-2021-44228 in Apache Log4j

Update: Please see Bishop Fox's rapid response post Log4j Vulnerability: Impact Analysis for latest updates about this vulnerability.

Technologies using Apache Log4j

The Cosmos 🌌 team at Bishop Fox 🦊 is currently researching open-source projects that appear to use Log4j by default.

  • Apache Druid
  • Apache Dubbo
  • Apache Flink
  • Apache Flume
  • Apache Hadoop
  • Apache Kafka
  • Apache Solr
  • Apache Spark
  • Apache Struts
  • Apache Tapestry
  • Apache Wicket
  • Elastic Elasticsearch
  • Elastic Logstash
  • Ghidra
  • Grails
  • Minecraft

The following projects don't appear to use Log4j by default, though they may optionally be configured to use it.

  • Apache Tomcat
  • Dropwizard
  • Elastic Kibana
  • Hibernate
  • JavaServer Faces
  • Oracle ATG Web Commerce
  • Spring Framework

Acknowledgements

Thanks to @sshell for the deep dive on this list.

See also

@surbhik10
Copy link

surbhik10 commented Dec 12, 2021

Kindly confirm if Apache Subversion is affected

@jameskirsop
Copy link

jameskirsop commented Dec 13, 2021

Please add Graylog to this list, as per my fork.

@max19931
Copy link

max19931 commented Dec 13, 2021

https://github.com/apache/log4j/network/dependents has a even longer and more uptodate list

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment