You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@netbeans.apache.org by "Ramnath, Kai" <ka...@rbc.com.INVALID> on 2021/12/14 17:34:33 UTC

Remote Code Execution Vulnerability

To whom it may concern:

My IT department has been made aware of a potential vulnerability for applications developed on Java:

The Apache Software Foundation announced<https://logging.apache.org/log4j/2.x/security.html> a critical remote code execution vulnerability (CVE-2021-44228<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228> ) in Apache Log4J, a popular open source framework for logging in the Java programming language.

I'd like to know if NetBeans is vulnerable to this exploit.

Kind Regards,

Kai Ramnath | Director, Credit Risk Methodologies | Enterprise Risk, Group Risk Management | Royal Bank of Canada | 647-968-3855 | kai.ramnath@rbc.com<ma...@rbc.com>
_______________________________________________________________________

If you received this email in error, please advise the sender (by return email or otherwise) immediately. You have consented to receive the attached electronically at the above-noted email address; please retain a copy of this confirmation for future reference.

Si vous recevez ce courriel par erreur, veuillez en aviser l'expéditeur immédiatement, par retour de courriel ou par un autre moyen. Vous avez accepté de recevoir le(s) document(s) ci-joint(s) par voie électronique à l'adresse courriel indiquée ci-dessus; veuillez conserver une copie de cette confirmation pour les fins de reference future.

Re: Remote Code Execution Vulnerability

Posted by Matteo Di Giovinazzo <ma...@gmail.com>.

It seems NetBeans 12.6 is using log4j 1.2.15 provided by the
org-netbeans-modules-html-validation module, so it is not affected by
CVE-2021-44228
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228> (only
versions , but it is affected by a related similar vulnerability
CVE-2021-4104 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104>
and
another old but severe one CVE-2019-17571
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571>.

On our NetBeans Platform based application we ended up patching the jars
removing a few (unused) class files from the org/apache/log4j/net package
in the log4j jar: JMSAppender.class to mitigate CVE-2021-4104
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104> and
SimpleSocketServer.class,
SocketNode.class, SocketServer.class to mitigate CVE-2019-17571
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571>.

On Tue, Dec 14, 2021 at 7:16 PM Caoyuan <dc...@gmail.com> wrote:

> There is information which may be helpful:
> https://www.lunasec.io/docs/blog/log4j-zero-day/
>
> -Caoyuan Deng
>
> On Tue, 14 Dec 2021 at 09:35, Ramnath, Kai <ka...@rbc.com.invalid>
> wrote:
>
> > To whom it may concern:
> >
> > My IT department has been made aware of a potential vulnerability for
> > applications developed on Java:
> >
> > The Apache Software Foundation announced<
> > https://logging.apache.org/log4j/2.x/security.html> a critical remote
> > code execution vulnerability (CVE-2021-44228<
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228> ) in
> > Apache Log4J, a popular open source framework for logging in the Java
> > programming language.
> >
> > I'd like to know if NetBeans is vulnerable to this exploit.
> >
> > Kind Regards,
> >
> > Kai Ramnath | Director, Credit Risk Methodologies | Enterprise Risk,
> Group
> > Risk Management | Royal Bank of Canada | 647-968-3855 |
> > kai.ramnath@rbc.com<ma...@rbc.com>
> > _______________________________________________________________________
> >
> > If you received this email in error, please advise the sender (by return
> > email or otherwise) immediately. You have consented to receive the
> attached
> > electronically at the above-noted email address; please retain a copy of
> > this confirmation for future reference.
> >
> > Si vous recevez ce courriel par erreur, veuillez en aviser l'expéditeur
> > immédiatement, par retour de courriel ou par un autre moyen. Vous avez
> > accepté de recevoir le(s) document(s) ci-joint(s) par voie électronique à
> > l'adresse courriel indiquée ci-dessus; veuillez conserver une copie de
> > cette confirmation pour les fins de reference future.
> >
>

-- 
Matteo Di Giovinazzo

Re: Remote Code Execution Vulnerability

Posted by Caoyuan <dc...@gmail.com>.

There is information which may be helpful:
https://www.lunasec.io/docs/blog/log4j-zero-day/

-Caoyuan Deng

On Tue, 14 Dec 2021 at 09:35, Ramnath, Kai <ka...@rbc.com.invalid>
wrote:

> To whom it may concern:
>
> My IT department has been made aware of a potential vulnerability for
> applications developed on Java:
>
> The Apache Software Foundation announced<
> https://logging.apache.org/log4j/2.x/security.html> a critical remote
> code execution vulnerability (CVE-2021-44228<
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228> ) in
> Apache Log4J, a popular open source framework for logging in the Java
> programming language.
>
> I'd like to know if NetBeans is vulnerable to this exploit.
>
> Kind Regards,
>
> Kai Ramnath | Director, Credit Risk Methodologies | Enterprise Risk, Group
> Risk Management | Royal Bank of Canada | 647-968-3855 |
> kai.ramnath@rbc.com<ma...@rbc.com>
> _______________________________________________________________________
>
> If you received this email in error, please advise the sender (by return
> email or otherwise) immediately. You have consented to receive the attached
> electronically at the above-noted email address; please retain a copy of
> this confirmation for future reference.
>
> Si vous recevez ce courriel par erreur, veuillez en aviser l'expéditeur
> immédiatement, par retour de courriel ou par un autre moyen. Vous avez
> accepté de recevoir le(s) document(s) ci-joint(s) par voie électronique à
> l'adresse courriel indiquée ci-dessus; veuillez conserver une copie de
> cette confirmation pour les fins de reference future.
>