Query regarding impact due to Log4j Tool : Zero Day in Ubiquitous Under Active Attack (CVE-2021-44228)

["Banerjee, Saurabh (Pune)" <sa...@Fiserv.com.INVALID>]

Hi Team,
We are using following jar provided your by. We want to ensure and know if it is impacted by "Apache Log4j Tool : Zero Day in Ubiquitous Under Active Attack (CVE-2021-44228)". If it's impacted please let us know about the security recommendation. To know we are looking for following answer


  1.  Are you using log4J?
  2.  If you are using log4j 1.x version, are you using JMSAppender class
  3.  if you are using log4j 2.x are , what is your security recommendation to fix the issue

S No
Jar
1
apache-ant-1.7.0-bin.zip
2
axis-ant.jar




Saurabh Banerjee,
Tech Lead, Software Development
Financial & Risk Management Solution
Fiserv
Helping Small Businesses Get Back2Business<https://www.fiserv.com/en/lp/back2business.html?cid=link|fiservsignature|b2b||>
Fiserv<https://www.fiserv.com/?cid=link|fiservsignature|fiservlink||> | Join Our Team<https://www.careers.fiserv.com/?utm_source=outlook&utm_medium=email&utm_campaign=signature> | Twitter<https://twitter.com/fiserv> | LinkedIn<https://www.linkedin.com/company/fiserv/> | Facebook<https://www.facebook.com/Fiserv/>
FORTUNE World's Most Admired Companies(r)
2014 | 2015 | 2016 | 2017 | 2018 | 2019 | 2020 | 2021

(c) 2021 Fiserv Inc. or its affiliates. Fiserv is a registered trademark of Fiserv Inc. Privacy Notice
<https://www.fiserv.com/en/about-fiserv/privacy-notice.html?cid=link|fiservsignature|privacypolicy||>(c) 2021 Fortune Media IP Limited. Used under license.

Re: Query regarding impact due to Log4j Tool : Zero Day in Ubiquitous Under Active Attack (CVE-2021-44228)

[Stefan Bodewig <bo...@apache.org>]

Hi

Apache Ant does not depend on log4j 2.x at all and never has.

There is an optional Log4JListener that can be used to send Ant's logs
through log4j 1.x that has been deprecated for quite some time now. Even
if you still use it, logj 1.x is not affected by CVE-2021-44228 (but by
several others, log4j 1.x has reached its end of life a long time ago).

If you are really using Ant 1.7.0 (which has been released almost
exactly fifteen years ago) you are affected by several CVEs fixed by
later versions of Ant, see https://ant.apache.org/security.html

Cheers

        Stefan

On 2021-12-14, Banerjee, Saurabh (Pune) wrote:

> Hi Team,
> We are using following jar provided your by. We want to ensure and know if it is impacted by "Apache Log4j Tool : Zero Day in Ubiquitous Under Active Attack (CVE-2021-44228)". If it's impacted please let us know about the security recommendation. To know we are looking for following answer


>   1.  Are you using log4J?
>   2.  If you are using log4j 1.x version, are you using JMSAppender class
>   3.  if you are using log4j 2.x are , what is your security recommendation to fix the issue

> S No
> Jar
> 1
> apache-ant-1.7.0-bin.zip
> 2
> axis-ant.jar




> Saurabh Banerjee,
> Tech Lead, Software Development
> Financial & Risk Management Solution
> Fiserv
> Helping Small Businesses Get Back2Business<https://www.fiserv.com/en/lp/back2business.html?cid=link|fiservsignature|b2b||>
> Fiserv<https://www.fiserv.com/?cid=link|fiservsignature|fiservlink||> | Join Our Team<https://www.careers.fiserv.com/?utm_source=outlook&utm_medium=email&utm_campaign=signature> | Twitter<https://twitter.com/fiserv> | LinkedIn<https://www.linkedin.com/company/fiserv/> | Facebook<https://www.facebook.com/Fiserv/>
> FORTUNE World's Most Admired Companies(r)
> 2014 | 2015 | 2016 | 2017 | 2018 | 2019 | 2020 | 2021

> (c) 2021 Fiserv Inc. or its affiliates. Fiserv is a registered trademark of Fiserv Inc. Privacy Notice
> <https://www.fiserv.com/en/about-fiserv/privacy-notice.html?cid=link|fiservsignature|privacypolicy||>(c) 2021 Fortune Media IP Limited. Used under license.

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@ant.apache.org
For additional commands, e-mail: user-help@ant.apache.org