Is there any value in eventually upgrading to a new log4j (i.e. log4j 2.15 or newer)?
Eric On Wed, Dec 15, 2021 at 10:45 AM John Kostaras <[email protected]> wrote: > Hallo, > > regarding the latest > > - Apache CVE: CVE-2021-44228 > <https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228> > - Apache security advisory: Apache Log4j Security Vulnerabilities > <https://logging.apache.org/log4j/2.x/security.html> > > > $ find . -name pom.xml | xargs grep log4j > $ find . -type f | xargs grep log4j > > ./contrib/groovy.grailsproject/test/unit/data/projects/completion/.classpath:<classpathentry > kind="var" path="GRAILS_HOME/lib/slf4j-log4j12-1.5.6.jar" /> > > > ./contrib/groovy.grailsproject/test/unit/data/projects/completion/.classpath:<classpathentry > kind="var" path="GRAILS_HOME/lib/log4j-1.2.15.jar" /> > > Binary file ./extide/gradle/external/gradle-6.7-bin.zip matches > > ./extide/o.apache.tools.ant.module/external/ant-1.10.8-license.txt:Files: > ant-misc-1.10.8.zip ant-1.10.8.jar ant-antlr-1.10.8.jar > ant-apache-bcel-1.10.8.jar ant-apache-bsf-1.10.8.jar > ant-apache-log4j-1.10.8.jar ant-apache-oro-1.10.8.jar > ant-apache-regexp-1.10.8.jar ant-apache-resolver-1.10.8.jar > ant-apache-xalan2-1.10.8.jar ant-commons-logging-1.10.8.jar > ant-commons-net-1.10.8.jar ant-jai-1.10.8.jar ant-javamail-1.10.8.jar > ant-jdepend-1.10.8.jar ant-jmf-1.10.8.jar ant-jsch-1.10.8.jar > ant-junit-1.10.8.jar ant-junit4-1.10.8.jar ant-launcher-1.10.8.jar > ant-netrexx-1.10.8.jar ant-swing-1.10.8.jar ant-testutil-1.10.8.jar > ant-xz-1.10.8.jar > > > ./extide/o.apache.tools.ant.module/external/binaries-list:9A3E49630CAF4A67AD6188DC0D9C2D4C52CDF279 > org.apache.ant:ant-apache-log4j:1.10.8 > > ./extide/o.apache.tools.ant.module/external/build.xml: > <include name="ant-apache-log4j-1.10.8.jar" /> > > > ./ide/html.validation/external/binaries-list:F0A0D2E29ED910808C33135A3A5A51BBA6358F7B > log4j:log4j:1.2.15 > ./ide/html.validation/external/log4j-1.2.15-license.txt:URL: > http://logging.apache.org/log4j/ > Binary file ./ide/html.validation/external/log4j-1.2.15.jar matches > Binary file ./ide/html.validation/external/validator-20200626-patched.jar > matches > > ./ide/html.validation/nbproject/project.properties:file.reference.log4j-1.2.15.jar=external/log4j-1.2.15.jar > > ./ide/html.validation/nbproject/project.properties:release.external/log4j-1.2.15.jar=modules/ext/log4j-1.2.15.jar > ./ide/html.validation/nbproject/project.xml: > <runtime-relative-path>ext/log4j-1.2.15.jar</runtime-relative-path> > ./ide/html.validation/nbproject/project.xml: > <binary-origin>external/log4j-1.2.15.jar</binary-origin> > > ./java/projectimport.eclipse.core/test/unit/data/71770.classpath: > <classpathentry kind="lib" path="C:/MyProjects/JavaAPI/log4j-1.2.8.jar"/> > > /nbbuild/build/license-temp/LICENSE.txt:extide/ant/lib/ant-apache-log4j.jar > Apache-2.0-ant > ./nbbuild/build/license-temp/LICENSE.txt:ide/modules/ext/log4j-1.2.15.jar > Apache-2.0 > ./nbbuild/build/notice-temp: - Unnamed - log4j:log4j:jar:1.2.12 > > ./nbbuild/netbeans/extide/update_tracking/org-apache-tools-ant-module.xml: > <file crc="3387204857" name="ant/lib/ant-apache-log4j.jar"/> > Binary file ./nbbuild/netbeans/ide/modules/ext/log4j-1.2.15.jar matches > > > ./nbbuild/netbeans/ide/update_tracking/org-netbeans-modules-html-validation.xml: > <file crc="2197124025" name="modules/ext/log4j-1.2.15.jar"/> > Binary file > ./nbbuild/netbeans/java/modules/org-netbeans-modules-j2ee-persistence.jar > matches > ./nbbuild/netbeans/LICENSE:extide/ant/lib/ant-apache-log4j.jar > Apache-2.0-ant > ./nbbuild/netbeans/LICENSE:ide/modules/ext/log4j-1.2.15.jar > Apache-2.0 > > ./nbbuild/netbeans/NOTICE: - Unnamed - log4j:log4j:jar:1.2.12 > > In short, I couldn't find any dependencies to log4j 2.x.x, unless I 'm > missing something. In other words, NetBeans is secure by using old log4j > versions. > > Best regards, > > JK. > -- Eric Bresie [email protected]
