1 comment

  • Official comment

    Hi Jon,

    We use a C++ logging library called log4cxx that's meant to be a functional clone of the Java log4j library.  To make it as easy to use for administrators as possible, the log4cxx project tries to use the same format for configuring the log4cxx logging library - that includes using the same name for the configuration files (log4j.xml).  We stuck with that naming convention because there's so much documentation available online for how to configure the log4j library, and our log4cxx implementation supports many of the same options. 


    However, there is no JNDI capability built into log4cxx. That's a Java-specific capability, and attackers are using that "feature" in log4j for their exploits.

    The configuration files you are seeing are for log4cxx and the similar naming to the files used by log4j are meant as a convenience for users (although we might have re-thought that naming decision today).


    Here's our official statement on log4j and Cerberus FTP Server for reference:

    Cerberus FTP Server does not use log4j and is not vulnerable to CVE-2021-44228.

    Comment actions Permalink

Please sign in to leave a comment.