Is this inaccurate: Note that only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.
On Wed, Dec 15, 2021 at 5:01 PM Michael Bien <[email protected]> wrote: > there is value to move eventually from log4j 1 to a maintained lib since > its EOL and has open CVEs too. > > On 15.12.21 19:37, Eric Bresie wrote: > > Is there any value in eventually upgrading to a new log4j (i.e. log4j > 2.15 > > or newer)? > > > > Eric > > > > On Wed, Dec 15, 2021 at 10:45 AM John Kostaras <[email protected]> > wrote: > > > >> Hallo, > >> > >> regarding the latest > >> > >> - Apache CVE: CVE-2021-44228 > >> <https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228> > >> - Apache security advisory: Apache Log4j Security Vulnerabilities > >> <https://logging.apache.org/log4j/2.x/security.html> > >> > >> > >> $ find . -name pom.xml | xargs grep log4j > >> $ find . -type f | xargs grep log4j > >> > >> > ./contrib/groovy.grailsproject/test/unit/data/projects/completion/.classpath:<classpathentry > >> kind="var" path="GRAILS_HOME/lib/slf4j-log4j12-1.5.6.jar" /> > >> > >> > >> > ./contrib/groovy.grailsproject/test/unit/data/projects/completion/.classpath:<classpathentry > >> kind="var" path="GRAILS_HOME/lib/log4j-1.2.15.jar" /> > >> > >> Binary file ./extide/gradle/external/gradle-6.7-bin.zip matches > >> > >> > ./extide/o.apache.tools.ant.module/external/ant-1.10.8-license.txt:Files: > >> ant-misc-1.10.8.zip ant-1.10.8.jar ant-antlr-1.10.8.jar > >> ant-apache-bcel-1.10.8.jar ant-apache-bsf-1.10.8.jar > >> ant-apache-log4j-1.10.8.jar ant-apache-oro-1.10.8.jar > >> ant-apache-regexp-1.10.8.jar ant-apache-resolver-1.10.8.jar > >> ant-apache-xalan2-1.10.8.jar ant-commons-logging-1.10.8.jar > >> ant-commons-net-1.10.8.jar ant-jai-1.10.8.jar ant-javamail-1.10.8.jar > >> ant-jdepend-1.10.8.jar ant-jmf-1.10.8.jar ant-jsch-1.10.8.jar > >> ant-junit-1.10.8.jar ant-junit4-1.10.8.jar ant-launcher-1.10.8.jar > >> ant-netrexx-1.10.8.jar ant-swing-1.10.8.jar ant-testutil-1.10.8.jar > >> ant-xz-1.10.8.jar > >> > >> > >> > ./extide/o.apache.tools.ant.module/external/binaries-list:9A3E49630CAF4A67AD6188DC0D9C2D4C52CDF279 > >> org.apache.ant:ant-apache-log4j:1.10.8 > >> > >> ./extide/o.apache.tools.ant.module/external/build.xml: > >> <include name="ant-apache-log4j-1.10.8.jar" /> > >> > >> > >> > ./ide/html.validation/external/binaries-list:F0A0D2E29ED910808C33135A3A5A51BBA6358F7B > >> log4j:log4j:1.2.15 > >> ./ide/html.validation/external/log4j-1.2.15-license.txt:URL: > >> http://logging.apache.org/log4j/ > >> Binary file ./ide/html.validation/external/log4j-1.2.15.jar matches > >> Binary file > ./ide/html.validation/external/validator-20200626-patched.jar > >> matches > >> > >> > ./ide/html.validation/nbproject/project.properties:file.reference.log4j-1.2.15.jar=external/log4j-1.2.15.jar > >> > >> > ./ide/html.validation/nbproject/project.properties:release.external/log4j-1.2.15.jar=modules/ext/log4j-1.2.15.jar > >> ./ide/html.validation/nbproject/project.xml: > >> <runtime-relative-path>ext/log4j-1.2.15.jar</runtime-relative-path> > >> ./ide/html.validation/nbproject/project.xml: > >> <binary-origin>external/log4j-1.2.15.jar</binary-origin> > >> > >> ./java/projectimport.eclipse.core/test/unit/data/71770.classpath: > >> <classpathentry kind="lib" > path="C:/MyProjects/JavaAPI/log4j-1.2.8.jar"/> > >> > >> > /nbbuild/build/license-temp/LICENSE.txt:extide/ant/lib/ant-apache-log4j.jar > >> Apache-2.0-ant > >> > ./nbbuild/build/license-temp/LICENSE.txt:ide/modules/ext/log4j-1.2.15.jar > >> Apache-2.0 > >> ./nbbuild/build/notice-temp: - Unnamed - log4j:log4j:jar:1.2.12 > >> > >> > ./nbbuild/netbeans/extide/update_tracking/org-apache-tools-ant-module.xml: > >> <file crc="3387204857" name="ant/lib/ant-apache-log4j.jar"/> > >> Binary file ./nbbuild/netbeans/ide/modules/ext/log4j-1.2.15.jar matches > >> > >> > >> > ./nbbuild/netbeans/ide/update_tracking/org-netbeans-modules-html-validation.xml: > >> <file crc="2197124025" name="modules/ext/log4j-1.2.15.jar"/> > >> Binary file > >> > ./nbbuild/netbeans/java/modules/org-netbeans-modules-j2ee-persistence.jar > >> matches > >> ./nbbuild/netbeans/LICENSE:extide/ant/lib/ant-apache-log4j.jar > >> Apache-2.0-ant > >> ./nbbuild/netbeans/LICENSE:ide/modules/ext/log4j-1.2.15.jar > >> Apache-2.0 > >> > >> ./nbbuild/netbeans/NOTICE: - Unnamed - log4j:log4j:jar:1.2.12 > >> > >> In short, I couldn't find any dependencies to log4j 2.x.x, unless I 'm > >> missing something. In other words, NetBeans is secure by using old log4j > >> versions. > >> > >> Best regards, > >> > >> JK. > >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > For further information about the NetBeans mailing lists, visit: > https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists > > > > -- Regards, Carl
