You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@netbeans.apache.org by William Shackleford <ws...@gmail.com> on 2023/03/23 13:53:23 UTC
log4j
Netbeans appears to include log4j even the most recent version.
in
netbeans/ide/modules/ext/log4j-1.2.15.jar
Our IT security group has flagged it and requires that it be removed even
though as it is version 1 it is not vulnerable to the most famous issue as
apparently there were other issues and it is no longer supported.
What are the consequences of removing it?
How would I go about committing or just suggestion a change to have it
removed from future versions to avoid triggering our security team from
telling everyone to delete it and maybe all of netbeans with it?
Re: Re: log4j
Posted by Eric Bresie <eb...@gmail.com>.
Kind of moot point now but FYI https://logging.apache.org/log4j/2.x/security.html
Eric Bresie
Ebresie@gmail.com (mailto:Ebresie@gmail.com)
> On March 25, 2023 at 12:55:40 PM CDT, Matthias Bläsing <mblaesing@doppel-helix.eu.invalid (mailto:mblaesing@doppel-helix.eu.invalid)> wrote:
> Hi,
>
> Am Freitag, dem 24.03.2023 um 22:29 +0100 schrieb Matthias Bläsing:
> > Hi,
> >
> > to prevent duplicate work: I'm preparing a patch to get log4j out.
> >
> > Greetings
>
> and here it is:
>
> https://github.com/apache/netbeans/pull/5716
>
> a nightly build is available from the checks summary page:
>
> https://github.com/apache/netbeans/actions/runs/4519593120
>
> or directly via:
>
> https://github.com/apache/netbeans/suites/11806181515/artifacts/616280546
>
>
> Two tests are relevant:
>
> a) @William: is your security happy with this?
> b) @all: does see anyone see problems? (Unittests ran and were green).
>
> Greetings
>
> Matthias
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org (mailto:dev-unsubscribe@netbeans.apache.org)
> For additional commands, e-mail: dev-help@netbeans.apache.org (mailto:dev-help@netbeans.apache.org)
>
> For further information about the NetBeans mailing lists, visit:
> https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
>
>
>
Re: log4j
Posted by Matthias Bläsing <mb...@doppel-helix.eu.INVALID>.
Hi,
Am Freitag, dem 24.03.2023 um 22:29 +0100 schrieb Matthias Bläsing:
> Hi,
>
> to prevent duplicate work: I'm preparing a patch to get log4j out.
>
> Greetings
and here it is:
https://github.com/apache/netbeans/pull/5716
a nightly build is available from the checks summary page:
https://github.com/apache/netbeans/actions/runs/4519593120
or directly via:
https://github.com/apache/netbeans/suites/11806181515/artifacts/616280546
Two tests are relevant:
a) @William: is your security happy with this?
b) @all: does see anyone see problems? (Unittests ran and were green).
Greetings
Matthias
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
For additional commands, e-mail: dev-help@netbeans.apache.org
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
Re: log4j
Posted by Matthias Bläsing <mb...@doppel-helix.eu.INVALID>.
Hi,
to prevent duplicate work: I'm preparing a patch to get log4j out.
Greetings
Matthias
Am Donnerstag, dem 23.03.2023 um 09:53 -0400 schrieb William
Shackleford:
> Netbeans appears to include log4j even the most recent version.
>
> in
>
> netbeans/ide/modules/ext/log4j-1.2.15.jar
>
> Our IT security group has flagged it and requires that it be removed even
> though as it is version 1 it is not vulnerable to the most famous issue as
> apparently there were other issues and it is no longer supported.
>
> What are the consequences of removing it?
>
> How would I go about committing or just suggestion a change to have it
> removed from future versions to avoid triggering our security team from
> telling everyone to delete it and maybe all of netbeans with it?
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
For additional commands, e-mail: dev-help@netbeans.apache.org
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
Re: log4j
Posted by Scott Palmer <sw...@gmail.com>.
I just took a look at the code and there is only one commented out line
that mentions log4j in the html validator code. "git grep log4j" shows the
string appearing in plenty of other places, but it doesn't look like log4jh
actually gets used anywhere!
Scott
On Thu, Mar 23, 2023 at 9:59 PM Eirik Bakke <eb...@ultorg.com> wrote:
> Is there any reason to use log4j instead of java.util.logging these days?
> If log4j is only use in one place in the NetBeans codebase, it might be
> beneficial to get rid of it in any case--one less dependency, and fewer
> overlapping logging libraries.
>
> -- Eirik
>
> -----Original Message-----
> From: Matthias Bläsing <mb...@doppel-helix.eu.INVALID>
> Sent: Thursday, March 23, 2023 2:48 PM
> To: dev@netbeans.apache.org
> Subject: Re: log4j
>
> Hi,
>
> Am Donnerstag, dem 23.03.2023 um 09:53 -0400 schrieb William Shackleford:
> > Netbeans appears to include log4j even the most recent version.
> >
> > in
> >
> > netbeans/ide/modules/ext/log4j-1.2.15.jar
> >
> > Our IT security group has flagged it and requires that it be removed
> > even though as it is version 1 it is not vulnerable to the most famous
> > issue as apparently there were other issues and it is no longer
> supported.
> >
> > What are the consequences of removing it?
>
> If I saw it correctly, log4j is used by the html validator only.
> Anything that calls into that might break. That also might happen
> indirectly.
>
> >
> > How would I go about committing or just suggestion a change to have
> > it removed from future versions
>
> Have a look at the html.parser and html.validator modules. Both most
> probably need to be updated or might be patched not to carry log4j.
> Patching html.validator might be the quickest way, updates to current
> version might be better in the long run.
>
> The hard
>
> > to avoid triggering our security team from telling everyone to delete
> > it and maybe all of netbeans with it?
>
> The alternative is: Solve organisational problems inside the organisation.
> If the security team indeed has the misconception that "has log4j === is
> vulnerable", than you might need a new security team.
>
> My status on the CVEs:
>
> - CVE-2019-17571: SocketServer needs to be explicitly loaded, we are not
> vulnerable
> - CVE-2020-9488: We don't use the SMTPAppender, we are not vulnerable
> - CVE-2021-4104: We don't use the JMSAppender, we are not vulnerabe
> - CVE-2022-23302: We don't use the JMSSink, we are not vulnerable
> - CVE-2022-23305: We don't use the JDBCAppender, we are not vulnerable
> - CVE-2022-23307: Apache Chainsaw is not used
>
> Greetings
>
> Matthias
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
> For additional commands, e-mail: dev-help@netbeans.apache.org
>
> For further information about the NetBeans mailing lists, visit:
> https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
> For additional commands, e-mail: dev-help@netbeans.apache.org
>
> For further information about the NetBeans mailing lists, visit:
> https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
>
>
>
>
Re: log4j
Posted by Matthias Bläsing <mb...@doppel-helix.eu.INVALID>.
Hi,
Am Freitag, dem 24.03.2023 um 01:59 +0000 schrieb Eirik Bakke:
> Is there any reason to use log4j instead of java.util.logging these
> days? If log4j is only use in one place in the NetBeans codebase, it
> might be beneficial to get rid of it in any case--one less
> dependency, and fewer overlapping logging libraries.
sure, but the usage is only in the codebase by proxy. The html parser
and validator are 90% (or more) external code. That code uses log4j.
You have to look into the code that is used to build the external
binaries for these two components to see the impact of log4j.
Greetings
Matthias
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
For additional commands, e-mail: dev-help@netbeans.apache.org
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
RE: log4j
Posted by Eirik Bakke <eb...@ultorg.com>.
Is there any reason to use log4j instead of java.util.logging these days? If log4j is only use in one place in the NetBeans codebase, it might be beneficial to get rid of it in any case--one less dependency, and fewer overlapping logging libraries.
-- Eirik
-----Original Message-----
From: Matthias Bläsing <mb...@doppel-helix.eu.INVALID>
Sent: Thursday, March 23, 2023 2:48 PM
To: dev@netbeans.apache.org
Subject: Re: log4j
Hi,
Am Donnerstag, dem 23.03.2023 um 09:53 -0400 schrieb William Shackleford:
> Netbeans appears to include log4j even the most recent version.
>
> in
>
> netbeans/ide/modules/ext/log4j-1.2.15.jar
>
> Our IT security group has flagged it and requires that it be removed
> even though as it is version 1 it is not vulnerable to the most famous
> issue as apparently there were other issues and it is no longer supported.
>
> What are the consequences of removing it?
If I saw it correctly, log4j is used by the html validator only.
Anything that calls into that might break. That also might happen indirectly.
>
> How would I go about committing or just suggestion a change to have
> it removed from future versions
Have a look at the html.parser and html.validator modules. Both most probably need to be updated or might be patched not to carry log4j.
Patching html.validator might be the quickest way, updates to current version might be better in the long run.
The hard
> to avoid triggering our security team from telling everyone to delete
> it and maybe all of netbeans with it?
The alternative is: Solve organisational problems inside the organisation. If the security team indeed has the misconception that "has log4j === is vulnerable", than you might need a new security team.
My status on the CVEs:
- CVE-2019-17571: SocketServer needs to be explicitly loaded, we are not vulnerable
- CVE-2020-9488: We don't use the SMTPAppender, we are not vulnerable
- CVE-2021-4104: We don't use the JMSAppender, we are not vulnerabe
- CVE-2022-23302: We don't use the JMSSink, we are not vulnerable
- CVE-2022-23305: We don't use the JDBCAppender, we are not vulnerable
- CVE-2022-23307: Apache Chainsaw is not used
Greetings
Matthias
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
For additional commands, e-mail: dev-help@netbeans.apache.org
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
For additional commands, e-mail: dev-help@netbeans.apache.org
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
Re: log4j
Posted by Matthias Bläsing <mb...@doppel-helix.eu.INVALID>.
Hi,
Am Donnerstag, dem 23.03.2023 um 09:53 -0400 schrieb William Shackleford:
> Netbeans appears to include log4j even the most recent version.
>
> in
>
> netbeans/ide/modules/ext/log4j-1.2.15.jar
>
> Our IT security group has flagged it and requires that it be removed even
> though as it is version 1 it is not vulnerable to the most famous issue as
> apparently there were other issues and it is no longer supported.
>
> What are the consequences of removing it?
If I saw it correctly, log4j is used by the html validator only.
Anything that calls into that might break. That also might happen
indirectly.
>
> How would I go about committing or just suggestion a change to have it
> removed from future versions
Have a look at the html.parser and html.validator modules. Both most
probably need to be updated or might be patched not to carry log4j.
Patching html.validator might be the quickest way, updates to current
version might be better in the long run.
The hard
> to avoid triggering our security team from
> telling everyone to delete it and maybe all of netbeans with it?
The alternative is: Solve organisational problems inside the
organisation. If the security team indeed has the misconception that
"has log4j === is vulnerable", than you might need a new security team.
My status on the CVEs:
- CVE-2019-17571: SocketServer needs to be explicitly loaded, we are not vulnerable
- CVE-2020-9488: We don't use the SMTPAppender, we are not vulnerable
- CVE-2021-4104: We don't use the JMSAppender, we are not vulnerabe
- CVE-2022-23302: We don't use the JMSSink, we are not vulnerable
- CVE-2022-23305: We don't use the JDBCAppender, we are not vulnerable
- CVE-2022-23307: Apache Chainsaw is not used
Greetings
Matthias
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@netbeans.apache.org
For additional commands, e-mail: dev-help@netbeans.apache.org
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists