in reply to Log4Shell and Log::Log4perl

I don't know what you're getting at exactly, but I'm going to make some guesses:

Log::Log4perl works without Java installed, so if it has vulnerabilities, these are not caused by any Java dependency.

The main vulnerability in Log4j is the (v2) loading of code via JNDI. Log::Log4perl does implement the version 1 API of Log4j.

If you don't understand the source code, you will have to trust somebody who says that there is no vulnerability.

Replies are listed 'Best First'.
Re^2: Log4Shell and Log::Log4perl
by bliako (Abbot) on Dec 24, 2021 at 11:06 UTC 
    I don't know what you're getting at exactly...

    I wanted an explanation as to why it is not vulnerable. What you said is a fine explanation: i.e., 1) it implements v1 API of Log4j (and not v2) and 2) it is pure Perl and does not call Log4j's java jars. Fine, thanks.

[reply]

In Section Seekers of Perl Wisdom