Here are the relevant places in the sources: https://github.com/apache/netbeans/blob/master/ide/html.validation/external/binaries-list
https://github.com/apache/netbeans/blob/master/ide/html.validation/external/log4j-1.2.15-license.txt I don't see anywhere else, i.e., it's used in the HTML editor for validation, looks like. Gj On Tue, Jan 4, 2022 at 4:24 PM Geertjan Wielenga < geertjan.wiele...@googlemail.com> wrote: > Indeed, that's a different vulnerability and, indeed, we do need to > upgrade to the latest release of log4j. > > Gj > > On Tue, Jan 4, 2022 at 4:21 PM Humphrey Clerx <hcl...@gmail.com> wrote: > >> Hi, >> >> The log4j2 security page also clearly states: >> >> "Please note that Log4j 1.x has reached End of Life in 2015 and is no >> longer supported. Vulnerabilities reported after August 2015 against Log4j >> 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2 >> to obtain security fixes." >> >> And there is a security vulnerability present in log4j 1.x, >> CVE-2019-17571 <https://www.cvedetails.com/cve/CVE-2019-17571/> that >> might need addressing in NetBeans. This is stated on the following page: >> >> - https://logging.apache.org/log4j/1.2/ >> >> Greets, >> Humphrey. >> >> On Tue, Jan 4, 2022 at 2:21 PM Geertjan Wielenga >> <geertjan.wiele...@googlemail.com.invalid> wrote: >> >>> We've looked for "log4j" in the NetBeans 12.6 binaries, as follows: >>> >>> -- >>> nb16$ find . -type f | grep -i log4j >>> ./extide/ant/lib/ant-apache-log4j.jar >>> ./ide/modules/ext/log4j-1.2.15.jar >>> -- >>> >>> So, we ship "log41-1.2.15.jar" with the binaries and, quoting the official >>> source [1]: >>> >>> "Log4j 1.x is not impacted by this vulnerability." >>> >>> (where "this vulnerability" means >>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832). >>> >>> Hope it helps, >>> >>> Gj >>> >>> [1] >>> https://logging.apache.org/log4j/2.x/security.html >>> >>> On Mon, Jan 3, 2022 at 10:33 PM <ashley.ding...@wellsfargo.com.invalid> >>> wrote: >>> >>>> Can the following questions be confirmed for NetBeans? >>>> >>>> >>>> >>>> 1. Which versions of your products utilize Log4j 1.x, if any? >>>> >>>> >>>> >>>> 1. Do they utilize the JMSAppender or SocketServer classes? >>>> >>>> >>>> >>>> 1. Do you have any mitigation options available for addressing both >>>> CVE-2019-17571 and CVE-2021-4104? >>>> >>>> https://nvd.nist.gov/vuln/detail/CVE-2019-17571 >>>> >>>> https://nvd.nist.gov/vuln/detail/CVE-2021-4104 >>>> >>>> >>>> >>>> 1. Would it impact the product if we deleted both the >>>> net/JMSAppender.class and net/SocketServer.class from the Log4j 1.x >>>> JAR >>>> itself? >>>> >>>> >>>> >>>> 1. Can you provide a roadmap of when you plan to move Log4j version >>>> 2.15 or higher? >>>> >>>> >>>> >>>> Thanks, >>>> >>>> Ashley Dingman >>>> >>>> >>>> >>> >> >> -- >> In the mountains of truth, you never climb in vain - Nietzsche >> #------------------------------------------------------------- >> \_O >> ,__/> >> <" >> ' >> >
