Re: log4j and NetBeans

Wed, 15 Dec 2021 14:14:36 -0800

You misinterpreted what i was trying to say. I did not want to imply that NB is vulnerable (i haven't checked). All i said is that log4j1 is EOL and has open vulnerabilities. Even if it would not have open CVEs, it still would have to be dropped at some point. 

On 15.12.21 23:08, Carl Mosca wrote:

Is this inaccurate:

Note that only the log4j-core JAR file is impacted by this vulnerability.
Applications using only the log4j-api JAR file without the log4j-core JAR
file are not impacted by this vulnerability.


  On Wed, Dec 15, 2021 at 5:01 PM Michael Bien <[email protected]> wrote:


there is value to move eventually from log4j 1 to a maintained lib since
its EOL and has open CVEs too.

On 15.12.21 19:37, Eric Bresie wrote:

Is there any value in eventually upgrading to a new log4j (i.e. log4j

2.15

or newer)?

Eric

On Wed, Dec 15, 2021 at 10:45 AM John Kostaras <[email protected]>

wrote:

Hallo,

regarding the latest

     - Apache CVE: CVE-2021-44228
     <https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228>
     - Apache security advisory: Apache Log4j Security Vulnerabilities
     <https://logging.apache.org/log4j/2.x/security.html>


$ find . -name pom.xml | xargs grep log4j
$ find . -type f | xargs grep log4j



./contrib/groovy.grailsproject/test/unit/data/projects/completion/.classpath:<classpathentry

kind="var" path="GRAILS_HOME/lib/slf4j-log4j12-1.5.6.jar" />




./contrib/groovy.grailsproject/test/unit/data/projects/completion/.classpath:<classpathentry

kind="var" path="GRAILS_HOME/lib/log4j-1.2.15.jar" />

Binary file ./extide/gradle/external/gradle-6.7-bin.zip matches



./extide/o.apache.tools.ant.module/external/ant-1.10.8-license.txt:Files:

ant-misc-1.10.8.zip ant-1.10.8.jar ant-antlr-1.10.8.jar
ant-apache-bcel-1.10.8.jar ant-apache-bsf-1.10.8.jar
ant-apache-log4j-1.10.8.jar ant-apache-oro-1.10.8.jar
ant-apache-regexp-1.10.8.jar ant-apache-resolver-1.10.8.jar
ant-apache-xalan2-1.10.8.jar ant-commons-logging-1.10.8.jar
ant-commons-net-1.10.8.jar ant-jai-1.10.8.jar ant-javamail-1.10.8.jar
ant-jdepend-1.10.8.jar ant-jmf-1.10.8.jar ant-jsch-1.10.8.jar
ant-junit-1.10.8.jar ant-junit4-1.10.8.jar ant-launcher-1.10.8.jar
ant-netrexx-1.10.8.jar ant-swing-1.10.8.jar ant-testutil-1.10.8.jar
ant-xz-1.10.8.jar




./extide/o.apache.tools.ant.module/external/binaries-list:9A3E49630CAF4A67AD6188DC0D9C2D4C52CDF279

org.apache.ant:ant-apache-log4j:1.10.8

./extide/o.apache.tools.ant.module/external/build.xml:
   <include name="ant-apache-log4j-1.10.8.jar" />




./ide/html.validation/external/binaries-list:F0A0D2E29ED910808C33135A3A5A51BBA6358F7B

log4j:log4j:1.2.15
./ide/html.validation/external/log4j-1.2.15-license.txt:URL:
http://logging.apache.org/log4j/
Binary file ./ide/html.validation/external/log4j-1.2.15.jar matches
Binary file

./ide/html.validation/external/validator-20200626-patched.jar

matches



./ide/html.validation/nbproject/project.properties:file.reference.log4j-1.2.15.jar=external/log4j-1.2.15.jar



./ide/html.validation/nbproject/project.properties:release.external/log4j-1.2.15.jar=modules/ext/log4j-1.2.15.jar

./ide/html.validation/nbproject/project.xml:
   <runtime-relative-path>ext/log4j-1.2.15.jar</runtime-relative-path>
./ide/html.validation/nbproject/project.xml:
   <binary-origin>external/log4j-1.2.15.jar</binary-origin>

./java/projectimport.eclipse.core/test/unit/data/71770.classpath:
   <classpathentry kind="lib"

path="C:/MyProjects/JavaAPI/log4j-1.2.8.jar"/>



/nbbuild/build/license-temp/LICENSE.txt:extide/ant/lib/ant-apache-log4j.jar

                                    Apache-2.0-ant


./nbbuild/build/license-temp/LICENSE.txt:ide/modules/ext/log4j-1.2.15.jar

                                     Apache-2.0
./nbbuild/build/notice-temp:  - Unnamed - log4j:log4j:jar:1.2.12



./nbbuild/netbeans/extide/update_tracking/org-apache-tools-ant-module.xml:

         <file crc="3387204857" name="ant/lib/ant-apache-log4j.jar"/>
Binary file ./nbbuild/netbeans/ide/modules/ext/log4j-1.2.15.jar matches




./nbbuild/netbeans/ide/update_tracking/org-netbeans-modules-html-validation.xml:

         <file crc="2197124025" name="modules/ext/log4j-1.2.15.jar"/>
Binary file


./nbbuild/netbeans/java/modules/org-netbeans-modules-j2ee-persistence.jar

matches
./nbbuild/netbeans/LICENSE:extide/ant/lib/ant-apache-log4j.jar
                        Apache-2.0-ant
./nbbuild/netbeans/LICENSE:ide/modules/ext/log4j-1.2.15.jar
                       Apache-2.0

./nbbuild/netbeans/NOTICE:  - Unnamed - log4j:log4j:jar:1.2.12

In short, I couldn't find any dependencies to log4j 2.x.x, unless I 'm
missing something. In other words, NetBeans is secure by using old log4j
versions.

Best regards,

JK.



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists



--

Regards,
Carl




---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

Reply via email to