You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@directory.apache.org by Pe...@RUV.de on 2021/12/21 17:41:30 UTC

Apache Directory Studio 2.0.0.v20151221-M10 prone to CVE-2021-44228

Hello,

could you please give us a short information if Apache Directory Studio is prone to CVE-2021-44228.
We have seen that a log4j is included

./Apache Directory Studio\plugins\org.apache.ant_1.9.2.v201404171502\lib\ant-apache-log4j.jar

But we don't know if it has any impact in respect to the security issue.

Best regards,

Peter Brodt

R+V Allgemeine Versicherung AG
ZI-SE-E1-EW
Abraham-Lincoln-Str. 21/R307
65189 Wiesbaden

#gerneperdu

Telefon: +49 611 533-3902
Telefax: +49 611 533-773902
Mobil: +49 176 43952053
E-Mail: Peter.Brodt@RUV.de
Internet: www.ruv.de

R+V Allgemeine Versicherung AG, Vorsitzender des Aufsichtsrats: Generaldirektor Dr. Norbert Rollinger.
Vorstand: Dr. Edgar Martin, Vorsitzender; Jens Hasselbächer, Tillmann Lukosch, Julia Merkel, Marc René Michallet.
Sitz: Raiffeisenplatz 1, 65189 Wiesbaden, Handelsregister Nr. HRB 2188, Amtsgericht Wiesbaden, USt-IdNr. DE 811198334


Bitte drucken Sie nur, was Sie wirklich brauchen.

Re: Apache Directory Studio 2.0.0.v20151221-M10 prone to CVE-2021-44228

Posted by Stefan Seelmann <ma...@stefan-seelmann.de>.

Hi Peter,

first of all to be clear, you ask about a 6 year old version of Apache 
Directory Studio, correct?

I looked into that jar, it's the Apache Ant Log4 Listener only. The 
log4j library itself is not included (neither in version 1 nor 2).

```
$ unzip -l 
./plugins/org.apache.ant_1.9.2.v201404171502/lib/ant-apache-log4j.jar
Archive: 
./plugins/org.apache.ant_1.9.2.v201404171502/lib/ant-apache-log4j.jar
   Length      Date    Time    Name
---------  ---------- -----   ----
         0  2013-07-08 20:17   META-INF/
       432  2013-07-08 20:17   META-INF/MANIFEST.MF
         0  2013-07-08 20:16   org/
         0  2013-07-08 20:16   org/apache/
         0  2013-07-08 20:17   org/apache/tools/
         0  2013-07-08 20:17   org/apache/tools/ant/
         0  2013-07-08 20:17   org/apache/tools/ant/listener/
      3446  2013-07-08 20:17 
org/apache/tools/ant/listener/Log4jListener.class
     15289  2013-07-08 20:16   META-INF/LICENSE.txt
       218  2013-07-08 20:16   META-INF/NOTICE.txt
---------                     -------
     19385                     10 files
```

Kind regards,
Stefan



On 12/21/21 18:41, Peter.Brodt@RUV.de wrote:
> Hello,
> 
> could you please give us a short information if Apache Directory Studio is prone to CVE-2021-44228.
> We have seen that a log4j is included
> 
> ./Apache Directory Studio\plugins\org.apache.ant_1.9.2.v201404171502\lib\ant-apache-log4j.jar
> 
> But we don't know if it has any impact in respect to the security issue.
> 
> Best regards,
> 
> Peter Brodt


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@directory.apache.org
For additional commands, e-mail: dev-help@directory.apache.org