It seems NetBeans 12.6 is using log4j 1.2.15 provided by the org-netbeans-modules-html-validation module, so it is not affected by CVE-2021-44228 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228> (only versions , but it is affected by a related similar vulnerability CVE-2021-4104 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104> and another old but severe one CVE-2019-17571 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571>.
On our NetBeans Platform based application we ended up patching the jars removing a few (unused) class files from the org/apache/log4j/net package in the log4j jar: JMSAppender.class to mitigate CVE-2021-4104 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104> and SimpleSocketServer.class, SocketNode.class, SocketServer.class to mitigate CVE-2019-17571 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571>. On Tue, Dec 14, 2021 at 7:16 PM Caoyuan <[email protected]> wrote: > There is information which may be helpful: > https://www.lunasec.io/docs/blog/log4j-zero-day/ > > -Caoyuan Deng > > On Tue, 14 Dec 2021 at 09:35, Ramnath, Kai <[email protected]> > wrote: > > > To whom it may concern: > > > > My IT department has been made aware of a potential vulnerability for > > applications developed on Java: > > > > The Apache Software Foundation announced< > > https://logging.apache.org/log4j/2.x/security.html> a critical remote > > code execution vulnerability (CVE-2021-44228< > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228> ) in > > Apache Log4J, a popular open source framework for logging in the Java > > programming language. > > > > I'd like to know if NetBeans is vulnerable to this exploit. > > > > Kind Regards, > > > > Kai Ramnath | Director, Credit Risk Methodologies | Enterprise Risk, > Group > > Risk Management | Royal Bank of Canada | 647-968-3855 | > > [email protected]<mailto:[email protected]> > > _______________________________________________________________________ > > > > If you received this email in error, please advise the sender (by return > > email or otherwise) immediately. You have consented to receive the > attached > > electronically at the above-noted email address; please retain a copy of > > this confirmation for future reference. > > > > Si vous recevez ce courriel par erreur, veuillez en aviser l'expéditeur > > immédiatement, par retour de courriel ou par un autre moyen. Vous avez > > accepté de recevoir le(s) document(s) ci-joint(s) par voie électronique à > > l'adresse courriel indiquée ci-dessus; veuillez conserver une copie de > > cette confirmation pour les fins de reference future. > > > -- Matteo Di Giovinazzo
