You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@netbeans.apache.org by Mike Hallan <mk...@yahoo.com.INVALID> on 2021/12/15 19:13:09 UTC
Log4j vulnerability
Does Netbeans Platform at any level use Log4j? I was thinking maybe the logging module may, if not use it, then be based on it.
Are applications built on Netbeans Platform are in any way vulnerable to Log4j exploits as described at mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 ?
Thanks,Mike
Re: Log4j vulnerability
Posted by Alonso Del Arte <al...@gmail.com>.
On Fri, Dec 17, 2021 at 10:18 AM Jason Abreu <ja...@gmail.com> wrote:
> A cursory file search in my NetBeans 12.6 folder shows "log4j-1.2.15.jar"
> in the "netbeans\ide\modules\ext" path.
>
> The vulnerability only seems to be in log4j versions 2+ so I don't think
> there is anything to worry about with the NetBeans IDE, itself.
>
> - Jason
>
That seems to be the consensus on the Slack channel.
Also, as far as I can tell, NetBeans never generates Log4j calls into your
projects (it does add java.util.logging if you have it generate an
exception handler, but that's in the JDK rather than from a third party).
Al
Re: Log4j vulnerability
Posted by Jason Abreu <ja...@gmail.com>.
A cursory file search in my NetBeans 12.6 folder shows
"log4j-1.2.15.jar" in the "netbeans\ide\modules\ext" path.
The vulnerability only seems to be in log4j versions 2+ so I don't think
there is anything to worry about with the NetBeans IDE, itself.
- Jason
On 12/15/21 2:13 PM, Mike Hallan wrote:
> Does Netbeans Platform at any level use Log4j? I was thinking maybe
> the logging module may, if not use it, then be based on it.
>
> Are applications built on Netbeans Platform are in any way vulnerable
> to Log4j exploits as described at
> mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 ?
>
> Thanks,
> Mike
Re: Log4j vulnerability
Posted by Scott Palmer <sw...@gmail.com>.
Also consider if NetBeans Platform apps are likely to be in a situation where malicious input is possible to exploit the vulnerability in the first place. I suppose if the update centre or start page content were hacked it could be a vector to get malicious input into the NB logging.
So the main concern is if log4j is used in the servers or if your platform app logs input from the wild. I think you also have to be running on an older JVM, don’t you?
Scott
> On Dec 15, 2021, at 7:06 PM, Alonso Del Arte <al...@gmail.com> wrote:
>
>
> Excellent question. I hope not. I'll check if there's been any discussion in the Slack...
>
>> On Wed, Dec 15, 2021 at 2:13 PM Mike Hallan <mk...@yahoo.com.invalid> wrote:
>> Does Netbeans Platform at any level use Log4j? I was thinking maybe the logging module may, if not use it, then be based on it.
>>
>> Are applications built on Netbeans Platform are in any way vulnerable to Log4j exploits as described at mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 ?
>>
>> Thanks,
>> Mike
>
>
Re: Log4j vulnerability
Posted by Carl Mosca <ca...@gmail.com>.
Log4j-core
On Wed, Dec 15, 2021 at 7:07 PM Alonso Del Arte <al...@gmail.com>
wrote:
> Excellent question. I hope not. I'll check if there's been any discussion
> in the Slack...
>
> On Wed, Dec 15, 2021 at 2:13 PM Mike Hallan <mk...@yahoo.com.invalid>
> wrote:
>
>> Does Netbeans Platform at any level use Log4j? I was thinking maybe the
>> logging module may, if not use it, then be based on it.
>>
>> Are applications built on Netbeans Platform are in any way vulnerable to
>> Log4j exploits as described at
>> mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 ?
>>
>> Thanks,
>> Mike
>>
>
>
> --
> Alonso del Arte
> Author at SmashWords.com
> <https://www.smashwords.com/profile/view/AlonsoDelarte>
> Musician at ReverbNation.com <http://www.reverbnation.com/alonsodelarte>
>
--
Regards,
Carl
Re: Log4j vulnerability
Posted by Alonso Del Arte <al...@gmail.com>.
Excellent question. I hope not. I'll check if there's been any discussion
in the Slack...
On Wed, Dec 15, 2021 at 2:13 PM Mike Hallan <mk...@yahoo.com.invalid>
wrote:
> Does Netbeans Platform at any level use Log4j? I was thinking maybe the
> logging module may, if not use it, then be based on it.
>
> Are applications built on Netbeans Platform are in any way vulnerable to
> Log4j exploits as described at
> mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 ?
>
> Thanks,
> Mike
>
--
Alonso del Arte
Author at SmashWords.com
<https://www.smashwords.com/profile/view/AlonsoDelarte>
Musician at ReverbNation.com <http://www.reverbnation.com/alonsodelarte>