On 2022-01-12, <ashley.ding...@wellsfargo.com.INVALID> wrote: > Can the following questions be confirmed for Ant?
easily > 1. Which versions of your products utilize Log4j 1.x, if any? By default Ant doesn't use any version of Apache Log4J at all. There is a deprecated BuildLogger using Log4J 1.x. It will only be used if you explicitly ask Ant to do so and you must provide the version of log4j you want to use as well as the full configuration yourself for this to work. To be honest. Most likely you don't use the log4j 1.x integration at all but this really is not anything we can tell you. > 1. Do they utilize the JMSAppender or SocketServer classes? If and only if you configure it to do so. > 1. Do you have any mitigation options available for addressing both > CVE-2019-17571 and CVE-2021-4104? > https://nvd.nist.gov/vuln/detail/CVE-2019-17571 > https://nvd.nist.gov/vuln/detail/CVE-2021-4104 the same mitigations the Log4J project recommend, please see https://logging.apache.org/log4j/2.x/security.html > * Would it impact the product if we deleted both the > net/JMSAppender.class and net/SocketServer.class from the Log4j 1.x JAR > itself? "the product" will not be impacted if you delete log4j completely. Your build process may be but this is not anything we can answer. > 1. Can you provide a roadmap of when you plan to move Log4j version 2.15 > or higher? never. There is no plan to add a log4j 2.x build logger as nobody ever wanted one and the log4j 1.x logger has been deprecated for years. Stefan --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@ant.apache.org For additional commands, e-mail: user-h...@ant.apache.org
