Actually I was wondering about the find command arguments. Sorry just asking.
On Wed, Dec 15, 2021 at 5:14 PM Michael Bien <[email protected]> wrote: > You misinterpreted what i was trying to say. I did not want to imply > that NB is vulnerable (i haven't checked). All i said is that log4j1 is > EOL and has open vulnerabilities. Even if it would not have open CVEs, > it still would have to be dropped at some point. > > On 15.12.21 23:08, Carl Mosca wrote: > > Is this inaccurate: > > > > Note that only the log4j-core JAR file is impacted by this vulnerability. > > Applications using only the log4j-api JAR file without the log4j-core JAR > > file are not impacted by this vulnerability. > > > > > > On Wed, Dec 15, 2021 at 5:01 PM Michael Bien <[email protected]> > wrote: > > > >> there is value to move eventually from log4j 1 to a maintained lib since > >> its EOL and has open CVEs too. > >> > >> On 15.12.21 19:37, Eric Bresie wrote: > >>> Is there any value in eventually upgrading to a new log4j (i.e. log4j > >> 2.15 > >>> or newer)? > >>> > >>> Eric > >>> > >>> On Wed, Dec 15, 2021 at 10:45 AM John Kostaras <[email protected]> > >> wrote: > >>>> Hallo, > >>>> > >>>> regarding the latest > >>>> > >>>> - Apache CVE: CVE-2021-44228 > >>>> <https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228> > >>>> - Apache security advisory: Apache Log4j Security Vulnerabilities > >>>> <https://logging.apache.org/log4j/2.x/security.html> > >>>> > >>>> > >>>> $ find . -name pom.xml | xargs grep log4j > >>>> $ find . -type f | xargs grep log4j > >>>> > >>>> > >> > ./contrib/groovy.grailsproject/test/unit/data/projects/completion/.classpath:<classpathentry > >>>> kind="var" path="GRAILS_HOME/lib/slf4j-log4j12-1.5.6.jar" /> > >>>> > >>>> > >>>> > >> > ./contrib/groovy.grailsproject/test/unit/data/projects/completion/.classpath:<classpathentry > >>>> kind="var" path="GRAILS_HOME/lib/log4j-1.2.15.jar" /> > >>>> > >>>> Binary file ./extide/gradle/external/gradle-6.7-bin.zip matches > >>>> > >>>> > >> > ./extide/o.apache.tools.ant.module/external/ant-1.10.8-license.txt:Files: > >>>> ant-misc-1.10.8.zip ant-1.10.8.jar ant-antlr-1.10.8.jar > >>>> ant-apache-bcel-1.10.8.jar ant-apache-bsf-1.10.8.jar > >>>> ant-apache-log4j-1.10.8.jar ant-apache-oro-1.10.8.jar > >>>> ant-apache-regexp-1.10.8.jar ant-apache-resolver-1.10.8.jar > >>>> ant-apache-xalan2-1.10.8.jar ant-commons-logging-1.10.8.jar > >>>> ant-commons-net-1.10.8.jar ant-jai-1.10.8.jar ant-javamail-1.10.8.jar > >>>> ant-jdepend-1.10.8.jar ant-jmf-1.10.8.jar ant-jsch-1.10.8.jar > >>>> ant-junit-1.10.8.jar ant-junit4-1.10.8.jar ant-launcher-1.10.8.jar > >>>> ant-netrexx-1.10.8.jar ant-swing-1.10.8.jar ant-testutil-1.10.8.jar > >>>> ant-xz-1.10.8.jar > >>>> > >>>> > >>>> > >> > ./extide/o.apache.tools.ant.module/external/binaries-list:9A3E49630CAF4A67AD6188DC0D9C2D4C52CDF279 > >>>> org.apache.ant:ant-apache-log4j:1.10.8 > >>>> > >>>> ./extide/o.apache.tools.ant.module/external/build.xml: > >>>> <include name="ant-apache-log4j-1.10.8.jar" /> > >>>> > >>>> > >>>> > >> > ./ide/html.validation/external/binaries-list:F0A0D2E29ED910808C33135A3A5A51BBA6358F7B > >>>> log4j:log4j:1.2.15 > >>>> ./ide/html.validation/external/log4j-1.2.15-license.txt:URL: > >>>> http://logging.apache.org/log4j/ > >>>> Binary file ./ide/html.validation/external/log4j-1.2.15.jar matches > >>>> Binary file > >> ./ide/html.validation/external/validator-20200626-patched.jar > >>>> matches > >>>> > >>>> > >> > ./ide/html.validation/nbproject/project.properties:file.reference.log4j-1.2.15.jar=external/log4j-1.2.15.jar > >>>> > >> > ./ide/html.validation/nbproject/project.properties:release.external/log4j-1.2.15.jar=modules/ext/log4j-1.2.15.jar > >>>> ./ide/html.validation/nbproject/project.xml: > >>>> <runtime-relative-path>ext/log4j-1.2.15.jar</runtime-relative-path> > >>>> ./ide/html.validation/nbproject/project.xml: > >>>> <binary-origin>external/log4j-1.2.15.jar</binary-origin> > >>>> > >>>> ./java/projectimport.eclipse.core/test/unit/data/71770.classpath: > >>>> <classpathentry kind="lib" > >> path="C:/MyProjects/JavaAPI/log4j-1.2.8.jar"/> > >>>> > >> > /nbbuild/build/license-temp/LICENSE.txt:extide/ant/lib/ant-apache-log4j.jar > >>>> Apache-2.0-ant > >>>> > >> > ./nbbuild/build/license-temp/LICENSE.txt:ide/modules/ext/log4j-1.2.15.jar > >>>> Apache-2.0 > >>>> ./nbbuild/build/notice-temp: - Unnamed - log4j:log4j:jar:1.2.12 > >>>> > >>>> > >> > ./nbbuild/netbeans/extide/update_tracking/org-apache-tools-ant-module.xml: > >>>> <file crc="3387204857" name="ant/lib/ant-apache-log4j.jar"/> > >>>> Binary file ./nbbuild/netbeans/ide/modules/ext/log4j-1.2.15.jar > matches > >>>> > >>>> > >>>> > >> > ./nbbuild/netbeans/ide/update_tracking/org-netbeans-modules-html-validation.xml: > >>>> <file crc="2197124025" name="modules/ext/log4j-1.2.15.jar"/> > >>>> Binary file > >>>> > >> > ./nbbuild/netbeans/java/modules/org-netbeans-modules-j2ee-persistence.jar > >>>> matches > >>>> ./nbbuild/netbeans/LICENSE:extide/ant/lib/ant-apache-log4j.jar > >>>> Apache-2.0-ant > >>>> ./nbbuild/netbeans/LICENSE:ide/modules/ext/log4j-1.2.15.jar > >>>> Apache-2.0 > >>>> > >>>> ./nbbuild/netbeans/NOTICE: - Unnamed - log4j:log4j:jar:1.2.12 > >>>> > >>>> In short, I couldn't find any dependencies to log4j 2.x.x, unless I 'm > >>>> missing something. In other words, NetBeans is secure by using old > log4j > >>>> versions. > >>>> > >>>> Best regards, > >>>> > >>>> JK. > >>>> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: [email protected] > >> For additional commands, e-mail: [email protected] > >> > >> For further information about the NetBeans mailing lists, visit: > >> https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists > >> > >> > >> > >> -- > > Regards, > > Carl > > > > -- Regards, Carl
