tag:help.beatunes.com,2009-07-24:/discussions/questions/16137-log4j-vulnerabilitybeaTunes: Discussion 2021-12-15T11:06:18Ztag:help.beatunes.com,2009-07-24:Comment/495466432021-12-14T21:36:29Z2021-12-14T21:36:29ZLog4j Vulnerability<div><p>Hi Dave,</p>
<blockquote>
<p>I see that BeaTunes has log4j 1.2.17 which is a really old version of the library and has security issues according to Oracle.</p>
</blockquote>
<p>The issue you saw in the news only affects log4j version 2, not version 1.x.</p>
<p>The indeed very old version of log4j that beaTunes uses, is not a great choice either, but it is apparently safe regarding that JNDI-based zero-day-exploit (see for example <a href="https://stackoverflow.com/a/70311014/942774">https://stackoverflow.com/a/70311014/942774</a> - the unsafe configuration mentioned, i.e. using <code>JMSAppender</code>, is not used by beaTunes).</p>
<blockquote>
<p>Is there any plan to update this?</p>
</blockquote>
<p>Not at the moment. Not only is beaTunes not affected. Not being a server connected to the Internet, it is also very very hard to make it log the malicious message (which is apparently the attack vector).</p>
<blockquote>
<p>if we manually update as per Oracle's directions will Beatunes break?</p>
</blockquote>
<p>Not sure which directions exactly you are referring to, but most likely it will break beaTunes.</p>
<p>-hendrik</p></div>hendriktag:help.beatunes.com,2009-07-24:Comment/495466432021-12-14T22:26:46Z2021-12-14T22:26:47ZLog4j Vulnerability<div><p>Thank you</p>
<p>Sent from Mail<a href="https://go.microsoft.com/fwlink/?LinkId=550986">https://go.microsoft.com/fwlink/?LinkId=550986</a> for Windows</p>
<hr></div>Dave Meyers