When using Log4j 1.2 with Apache Log4j 1.2, you need to be careful about how you construct the event data. If you use code such as the following then you could be exposed to a potential XSS attack through the Apache Log4j deserialization code:
Apache Log4j deserialization is protected in Apache Log4j 2.0 and later versions by additional filtering rules. You can confirm this by looking at the HTTP response headers for the above example. You should see a header such as:
HTTP/1.1 200 OK X-Powered-By: Log4j 1.2
You can see an example of Apache Log4j 1.2 HTTP header filtering rules in the Apache Log4j 1.2 filtering rules GitHub repository.
Apache Log4j 2.0+ Filtering Rules
Apache Log4j 2.0+ is more secure than Apache Log4j 1.2, as it prevents the code from being vulnerable to XSS attacks. For example, if you're using a StringBuilder in your code, then the following would be true:
If you're not using a StringBuilder and instead manually constructing your own event data string, then you've got a potential XSS vulnerability.
Apache Log4j 2.0 and later versions
Apache Log4j 2.0 and later versions protect against the above attack by implementing additional filtering rules and a new FilterProvider class that you can use to define your own filters. You should use the org.apache.logging.log4j.core.FilterProvider class instead of using org.apache.logging.log4j2.core.FilterProvider, if you want to override the Apache Log4j 1.2 filter rules for Apache Log4j 1.2 in your application code: