Hi, Can the following questions be confirmed for Ant?
1. Which versions of your products utilize Log4j 1.x, if any? 1. Do they utilize the JMSAppender or SocketServer classes? 1. Do you have any mitigation options available for addressing both CVE-2019-17571 and CVE-2021-4104? https://nvd.nist.gov/vuln/detail/CVE-2019-17571 https://nvd.nist.gov/vuln/detail/CVE-2021-4104 * Would it impact the product if we deleted both the net/JMSAppender.class and net/SocketServer.class from the Log4j 1.x JAR itself? 1. Can you provide a roadmap of when you plan to move Log4j version 2.15 or higher? Thanks, Ashley Dingman Sr. Systems Operations Engineer Wells Fargo Bank ashley.ding...@wellsfargo.com The information contained in this electronic message is confidential, proprietary, and intended only for the use of the owner of the e-mail address listed as the recipient of this message. If you are not the intended recipient, or the employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure, dissemination, distribution, copying of this communication, or unauthorized use is strictly prohibited and subject to prosecution to the fullest extent of the law! If you are not the intended recipient, please delete this electronic message and DO NOT ACT UPON, FORWARD, COPY OR OTHERWISE DISSEMINATE IT OR ITS CONTENTS.
