Ashley,
NOTE: I do not speak for the Apache ant community. I'm just a volunteer
and member of the community.
On 1/12/22 13:37, ashley.ding...@wellsfargo.com.INVALID wrote:
Hi,
Can the following questions be confirmed for Ant?
1. Which versions of your products utilize Log4j 1.x, if any?
ant is open source. You can discover the answer to this question for
yourself. The only relevant version is "whichever version of ant you use."
1. Do they utilize the JMSAppender or SocketServer classes?
No. At least not unless you have specifically configured and to use (a)
log4j and (b) the JMSAppender or SocketServer.
1. Do you have any mitigation options available for addressing both
CVE-2019-17571 and CVE-2021-4104?
https://nvd.nist.gov/vuln/detail/CVE-2019-17571
https://nvd.nist.gov/vuln/detail/CVE-2021-4104
That will depend upon your use of ant, if any.
* Would it impact the product if we deleted both the
net/JMSAppender.class and net/SocketServer.class from the Log4j 1.x
JAR itself?
If you can find these classes in Apache ant or any of its dependencies,
removing those classes would only cause a problem if you had somehow
configured ant to use (a) log4j and (b) the JMSAppender or SocketServer.
In practice, you don't find those classes and if you DID find those
classes, removing them wouldn't make any difference at all.
1. Can you provide a roadmap of when you plan to move Log4j version
2.15 or higher?
Do you have any evidence which suggests that Apache ant uses *any*
version of Apache log4j, particularly in your environment?
I think it's really important to point-out that Apache ant is a build
tool and not usually part of any online system. Sure, it's entirely
possible to make ant available remotely, but ... nobody really does that.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@ant.apache.org
For additional commands, e-mail: user-h...@ant.apache.org
