On 2022-01-12, <ashley.ding...@wellsfargo.com.INVALID> wrote:

> Can the following questions be confirmed for Ant?

easily

>   1.  Which versions of your products utilize Log4j 1.x, if any?

By default Ant doesn't use any version of Apache Log4J at all.

There is a deprecated BuildLogger using Log4J 1.x. It will only be used
if you explicitly ask Ant to do so and you must provide the version of
log4j you want to use as well as the full configuration yourself for
this to work.

To be honest. Most likely you don't use the log4j 1.x integration at all
but this really is not anything we can tell you.

>   1.  Do they utilize the JMSAppender or SocketServer classes?

If and only if you configure it to do so.

>   1.  Do you have any mitigation options available for addressing both 
> CVE-2019-17571 and CVE-2021-4104?
> https://nvd.nist.gov/vuln/detail/CVE-2019-17571
> https://nvd.nist.gov/vuln/detail/CVE-2021-4104

the same mitigations the Log4J project recommend, please see
https://logging.apache.org/log4j/2.x/security.html

>      *   Would it impact the product if we deleted both the 
> net/JMSAppender.class and net/SocketServer.class from the Log4j 1.x JAR 
> itself?

"the product" will not be impacted if you delete log4j completely. Your
build process may be but this is not anything we can answer.

>   1.  Can you provide a roadmap of when you plan to move Log4j version 2.15 
> or higher?

never.

There is no plan to add a log4j 2.x build logger as nobody ever wanted
one and the log4j 1.x logger has been deprecated for years.

Stefan

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@ant.apache.org
For additional commands, e-mail: user-h...@ant.apache.org

Reply via email to