Is log4perl affected by CVE-2021-44228? (log4j)

[n00rm]

Hi, is there a possibility tht log4perl is also affected by the CVE-2021-44228?

I couldn't find any reference to JNDI or something similar.

Thanks in advance!

More information about CVE-2021-44228 here: https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/

[mjgardner]

It's not. Log4perl doesn't support JNDI and won't download nor run code from the network unless you deliberately embed Perl code in its config file that explicitly does so. And if for some ill-advised reason you wanted to do that, you can and should explicitly specify which Perl opcodes and variables are allowed within a limited Safe compartment.

[mohawk2]

@mjgardner is correct: there is no equivalent feature that can be exploited. I'll leave this issue open for now (as it shows as the most-recently-opened issue here for any visitors), but feel free to close it yourself or highlight any further issues or questions you may have.