Indeed, that's a different vulnerability and, indeed, we do need to upgrade to the latest release of log4j.
Gj On Tue, Jan 4, 2022 at 4:21 PM Humphrey Clerx <hcl...@gmail.com> wrote: > Hi, > > The log4j2 security page also clearly states: > > "Please note that Log4j 1.x has reached End of Life in 2015 and is no > longer supported. Vulnerabilities reported after August 2015 against Log4j > 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2 > to obtain security fixes." > > And there is a security vulnerability present in log4j 1.x, CVE-2019-17571 > <https://www.cvedetails.com/cve/CVE-2019-17571/> that might need > addressing in NetBeans. This is stated on the following page: > > - https://logging.apache.org/log4j/1.2/ > > Greets, > Humphrey. > > On Tue, Jan 4, 2022 at 2:21 PM Geertjan Wielenga > <geertjan.wiele...@googlemail.com.invalid> wrote: > >> We've looked for "log4j" in the NetBeans 12.6 binaries, as follows: >> >> -- >> nb16$ find . -type f | grep -i log4j >> ./extide/ant/lib/ant-apache-log4j.jar >> ./ide/modules/ext/log4j-1.2.15.jar >> -- >> >> So, we ship "log41-1.2.15.jar" with the binaries and, quoting the official >> source [1]: >> >> "Log4j 1.x is not impacted by this vulnerability." >> >> (where "this vulnerability" means >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832). >> >> Hope it helps, >> >> Gj >> >> [1] >> https://logging.apache.org/log4j/2.x/security.html >> >> On Mon, Jan 3, 2022 at 10:33 PM <ashley.ding...@wellsfargo.com.invalid> >> wrote: >> >>> Can the following questions be confirmed for NetBeans? >>> >>> >>> >>> 1. Which versions of your products utilize Log4j 1.x, if any? >>> >>> >>> >>> 1. Do they utilize the JMSAppender or SocketServer classes? >>> >>> >>> >>> 1. Do you have any mitigation options available for addressing both >>> CVE-2019-17571 and CVE-2021-4104? >>> >>> https://nvd.nist.gov/vuln/detail/CVE-2019-17571 >>> >>> https://nvd.nist.gov/vuln/detail/CVE-2021-4104 >>> >>> >>> >>> 1. Would it impact the product if we deleted both the >>> net/JMSAppender.class and net/SocketServer.class from the Log4j 1.x >>> JAR >>> itself? >>> >>> >>> >>> 1. Can you provide a roadmap of when you plan to move Log4j version >>> 2.15 or higher? >>> >>> >>> >>> Thanks, >>> >>> Ashley Dingman >>> >>> >>> >> > > -- > In the mountains of truth, you never climb in vain - Nietzsche > #------------------------------------------------------------- > \_O > ,__/> > <" > ' >
