Stefan,

On 1/12/22 15:57, Stefan Bodewig wrote:
On 2022-01-12, <ashley.ding...@wellsfargo.com.INVALID> wrote:

Can the following questions be confirmed for Ant?

easily

   1.  Which versions of your products utilize Log4j 1.x, if any?

By default Ant doesn't use any version of Apache Log4J at all.

There is a deprecated BuildLogger using Log4J 1.x. It will only be used
if you explicitly ask Ant to do so and you must provide the version of
log4j you want to use as well as the full configuration yourself for
this to work.

To be honest. Most likely you don't use the log4j 1.x integration at all
but this really is not anything we can tell you.

   1.  Do they utilize the JMSAppender or SocketServer classes?

If and only if you configure it to do so.

   1.  Do you have any mitigation options available for addressing both 
CVE-2019-17571 and CVE-2021-4104?
https://nvd.nist.gov/vuln/detail/CVE-2019-17571
https://nvd.nist.gov/vuln/detail/CVE-2021-4104

the same mitigations the Log4J project recommend, please see
https://logging.apache.org/log4j/2.x/security.html

Note that the above CVEs are for log4j v1, not log4j v2.

The only mitigations for those are:

a. Don't use those things (and really nobody does)
b. Remove the .class files from the JAR files if you are that concerned

      *   Would it impact the product if we deleted both the 
net/JMSAppender.class and net/SocketServer.class from the Log4j 1.x JAR itself?

"the product" will not be impacted if you delete log4j completely. Your
build process may be but this is not anything we can answer.

   1.  Can you provide a roadmap of when you plan to move Log4j version 2.15 or 
higher?

never.

There is no plan to add a log4j 2.x build logger as nobody ever wanted
one and the log4j 1.x logger has been deprecated for years.

+1

-chris


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@ant.apache.org
For additional commands, e-mail: user-h...@ant.apache.org

Reply via email to