Apache Log4j 1.2.x Release Notes

Notes

• This release originates from the open‑source Apache Log4j project forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds.

Bug Fixes

• Fixed a serialization vulnerability in SocketServer by hardening how data is deserialized. (CVE-2019-17571)
• Improved security for SMTPAppender by enabling server identity verification for SSL connections by default. (CVE-2020-9488)
• Hardened Chainsaw and related components against unsafe deserialization using object whitelisting. (CVE-2020-9493 / CVE-2022-23307)
• Restricted JNDI usage within the library to only allow objects from the trusted Java JNDI namespace. (CVE-2021-4104)
• Enhanced JDBCAppender security by utilizing PreparedStatement to prevent SQL injection. (CVE-2022-23305)
• Secured JMSSink by restricting JNDI lookups to the safe java: namespace. (CVE-2022-23302)
• Fixed Chainsaw implementation by introducing a safeguard that limits the amount of serialized data accepted during deserialization in the affected logging components. (CVE-2023-26464)