On 2022-01-13, Christopher Schultz wrote: > On 1/12/22 15:57, Stefan Bodewig wrote: >> On 2022-01-12, <ashley.ding...@wellsfargo.com.INVALID> wrote:
>>> 1. Do you have any mitigation options available for addressing both >>> CVE-2019-17571 and CVE-2021-4104? >>> https://nvd.nist.gov/vuln/detail/CVE-2019-17571 >>> https://nvd.nist.gov/vuln/detail/CVE-2021-4104 >> the same mitigations the Log4J project recommend, please see >> https://logging.apache.org/log4j/2.x/security.html > Note that the above CVEs are for log4j v1, not log4j v2. > The only mitigations for those are: > a. Don't use those things (and really nobody does) > b. Remove the .class files from the JAR files if you are that concerned I was hoping the page I linked was saying just that ;-) You are of course correct, the only real recommendation is to not use log4j 1.x at all. Stefan --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@ant.apache.org For additional commands, e-mail: user-h...@ant.apache.org