Menu
As the title says. Looked online for a clear answer but can't find an answer anywhere as most of them just link to Log4J.
669
The answer is simple: Log4JS and Log4J share only a similar name and API. The codebases are entirely different (and written in different languages). The vulnerability of Log4J does not apply obviously to Log4JS.
Is log4js safe to use? The npm package log4js was scanned for known vulnerabilities and missing license, and no issues were found. Thus the package was deemed as safe to use. See the full health analysis review.
The answer is simple: Log4JS and Log4J share only a similar name and API. The codebases are entirely different (and written in different languages). The vulnerability of Log4J does not apply obviously to Log4JS.
This kind of vulnerability could not even be easily implemented in JavaScript. Java's vulnerability is based on JNDI lookups, which usually are used to retrieve simple configuration data. However they also allow to retrieve serialized Java objects and new classes (cf. Oracle's documentation).
The JavaScript equivalent of this vulnerability would be a formatter that replaces:
log.info('${jndi:some JS code}');
with
log.info(eval(some JS code));
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
