We've looked for "log4j" in the NetBeans 12.6 binaries, as follows:
-- nb16$ find . -type f | grep -i log4j ./extide/ant/lib/ant-apache-log4j.jar ./ide/modules/ext/log4j-1.2.15.jar -- So, we ship "log41-1.2.15.jar" with the binaries and, quoting the official source [1]: "Log4j 1.x is not impacted by this vulnerability." (where "this vulnerability" means https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832). Hope it helps, Gj [1] https://logging.apache.org/log4j/2.x/security.html On Mon, Jan 3, 2022 at 10:33 PM <ashley.ding...@wellsfargo.com.invalid> wrote: > Can the following questions be confirmed for NetBeans? > > > > 1. Which versions of your products utilize Log4j 1.x, if any? > > > > 1. Do they utilize the JMSAppender or SocketServer classes? > > > > 1. Do you have any mitigation options available for addressing both > CVE-2019-17571 and CVE-2021-4104? > > https://nvd.nist.gov/vuln/detail/CVE-2019-17571 > > https://nvd.nist.gov/vuln/detail/CVE-2021-4104 > > > > 1. Would it impact the product if we deleted both the > net/JMSAppender.class and net/SocketServer.class from the Log4j 1.x JAR > itself? > > > > 1. Can you provide a roadmap of when you plan to move Log4j version > 2.15 or higher? > > > > Thanks, > > Ashley Dingman > > >
