Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-dev] Jetty: Apache Log4j Tool : Zero Day in Ubiquitous Under Active Attack (CVE-2021-44228)

You have 2 recent CVEs for Log4j 2.x to be aware of - CVE-2021-44228 and CVE-2021-45046.
Both of these are currently resolved by simple upgrading to Log4j2 2.16.0

Log4j 1.x was EOL in August 2015 and now has an ever growing post-EOL CVE list, it's use in production is not recommended anymore.

As Simone pointed out, Jetty has never had a dependency on log4j, any version.
If you are using log4j, then you added it to your own copy of Jetty.
Upgrading log4j, or deciding to switch to a different logging implementation (logback, java.util.logging, etc) will have zero impact on Jetty itself.

Joakim Erdfelt / joakim@xxxxxxxxxxx

On Thu, Dec 16, 2021 at 12:57 AM Kumar, Amit (Noida) via jetty-dev <jetty-dev@xxxxxxxxxxx> wrote:


Hi Team,


We are using Below jar provided by you. We want to ensure and know if it is impacted by “Apache Log4j Tool : Zero Day in Ubiquitous Under Active Attack (CVE-2021-44228)”. If it’s impacted please let us know about the security recommendation. To know we are looking for following answer



jetty-4.2.19 4.2.19

jetty-continuation-7.5.4.v20111024 7.5.4

jetty-http-7.5.4.v20111024 7.5.4

jetty-security-7.5.4.v20111024 7.5.4

jetty-util-7.5.4.v20111024 7.5.4

jetty-io-7.5.4.v20111024 7.5.4

jetty-server-7.5.4.v20111024 7.5.4



Are you using log4J?

If you are using log4j 1.x version, are you using JMSAppender class

if you are using log4j 2.x are , what is your security recommendation to fix the issue



Thanks and regards,


Amit Kumar

Tech Lead, Software Development Engineering

Financial & Risk Management Solutions

Mobile: +91-9990094588

Upcoming R&R:


Helping Small Businesses Get Back2Business
Fiserv | Join Our Team | Twitter | LinkedIn | Facebook
FORTUNE World's Most Admired Companies®
2014 | 2015 | 2016 | 2017 | 2018 | 2019 | 2020 | 2021

© 2021 Fiserv Inc. or its affiliates. Fiserv is a registered trademark of Fiserv Inc. Privacy Notice
© 2021 Fortune Media IP Limited. Used under license. 


jetty-dev mailing list
To unsubscribe from this list, visit

Back to the top