On 2022-01-13, Christopher Schultz wrote:

> On 1/12/22 15:57, Stefan Bodewig wrote:
>> On 2022-01-12, <ashley.ding...@wellsfargo.com.INVALID> wrote:

>>>    1.  Do you have any mitigation options available for addressing both 
>>> CVE-2019-17571 and CVE-2021-4104?
>>> https://nvd.nist.gov/vuln/detail/CVE-2019-17571
>>> https://nvd.nist.gov/vuln/detail/CVE-2021-4104

>> the same mitigations the Log4J project recommend, please see
>> https://logging.apache.org/log4j/2.x/security.html

> Note that the above CVEs are for log4j v1, not log4j v2.

> The only mitigations for those are:

> a. Don't use those things (and really nobody does)
> b. Remove the .class files from the JAR files if you are that concerned

I was hoping the page I linked was saying just that ;-)

You are of course correct, the only real recommendation is to not use
log4j 1.x at all.

Stefan

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@ant.apache.org
For additional commands, e-mail: user-h...@ant.apache.org

Reply via email to