Hi, The log4j2 security page also clearly states:
"Please note that Log4j 1.x has reached End of Life in 2015 and is no longer supported. Vulnerabilities reported after August 2015 against Log4j 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2 to obtain security fixes." And there is a security vulnerability present in log4j 1.x, CVE-2019-17571 <https://www.cvedetails.com/cve/CVE-2019-17571/> that might need addressing in NetBeans. This is stated on the following page: - https://logging.apache.org/log4j/1.2/ Greets, Humphrey. On Tue, Jan 4, 2022 at 2:21 PM Geertjan Wielenga <geertjan.wiele...@googlemail.com.invalid> wrote: > We've looked for "log4j" in the NetBeans 12.6 binaries, as follows: > > -- > nb16$ find . -type f | grep -i log4j > ./extide/ant/lib/ant-apache-log4j.jar > ./ide/modules/ext/log4j-1.2.15.jar > -- > > So, we ship "log41-1.2.15.jar" with the binaries and, quoting the official > source [1]: > > "Log4j 1.x is not impacted by this vulnerability." > > (where "this vulnerability" means > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832). > > Hope it helps, > > Gj > > [1] > https://logging.apache.org/log4j/2.x/security.html > > On Mon, Jan 3, 2022 at 10:33 PM <ashley.ding...@wellsfargo.com.invalid> > wrote: > >> Can the following questions be confirmed for NetBeans? >> >> >> >> 1. Which versions of your products utilize Log4j 1.x, if any? >> >> >> >> 1. Do they utilize the JMSAppender or SocketServer classes? >> >> >> >> 1. Do you have any mitigation options available for addressing both >> CVE-2019-17571 and CVE-2021-4104? >> >> https://nvd.nist.gov/vuln/detail/CVE-2019-17571 >> >> https://nvd.nist.gov/vuln/detail/CVE-2021-4104 >> >> >> >> 1. Would it impact the product if we deleted both the >> net/JMSAppender.class and net/SocketServer.class from the Log4j 1.x JAR >> itself? >> >> >> >> 1. Can you provide a roadmap of when you plan to move Log4j version >> 2.15 or higher? >> >> >> >> Thanks, >> >> Ashley Dingman >> >> >> > -- In the mountains of truth, you never climb in vain - Nietzsche #------------------------------------------------------------- \_O ,__/> <" '
