![]() ![]() Fine, thanks.Īlthough Java is not directly involved, I think it's noteworthy that Log::Log4perl offersĬode execution while reading configuration files. What you said is a fine explanation: i.e., 1) it implements v1 API of Log4j (and not v2) and 2) it is pure Perl and does not call Log4j's java jars. I wanted an explanation as to why it is not vulnerable. I don't know what you're getting at exactly. If you don't understand the source code, you will have to trust somebody who says that there is no vulnerability. Log::Log4perl does implement the version 1 API of Log4j. The main vulnerability in Log4j is the (v2) loading of code via JNDI. ![]() Log::Log4perl works without Java installed, so if it has vulnerabilities, these are not caused by any Java dependency. I don't know what you're getting at exactly, but I'm going to make some guesses: left-right quotes, ellipses) from the output of linux commands (and even systemd, possibly kernel messages, linux startup messages are full of them). Tangentially: I always thought superfluous enhancements is bad for open source software, starting from gcc's verbal diarrhea, to colour output to most linux commands, to getting unicode (e.g. So, bottomline is: Log4Shell doesn't *look* like it affects Perl's Log::Log4perl but can anyone explain why? I do take their word but I am unable to say anything from just reading the source code. It is a pure Perl port of the widely popular Apache/Jakarta log4j library for Java. But it is unclear to me still whether Log::Log4perl makes calls to the Java API of log4j (dangerous, at least until log4j is code-reviewed properly and superfluous and lethal enhancements are removed) or implements/emulates most of them (obviously not the remote code execution via JNDI) in pure Perl (not dangerous for JNDI injections). Log4Shell doesn't *look* like it affects Perl's Log::Log4perl according to Mark Gardner. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |