Hallo, regarding the latest
- Apache CVE: CVE-2021-44228 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228> - Apache security advisory: Apache Log4j Security Vulnerabilities <https://logging.apache.org/log4j/2.x/security.html> $ find . -name pom.xml | xargs grep log4j $ find . -type f | xargs grep log4j ./contrib/groovy.grailsproject/test/unit/data/projects/completion/.classpath:<classpathentry kind="var" path="GRAILS_HOME/lib/slf4j-log4j12-1.5.6.jar" /> ./contrib/groovy.grailsproject/test/unit/data/projects/completion/.classpath:<classpathentry kind="var" path="GRAILS_HOME/lib/log4j-1.2.15.jar" /> Binary file ./extide/gradle/external/gradle-6.7-bin.zip matches ./extide/o.apache.tools.ant.module/external/ant-1.10.8-license.txt:Files: ant-misc-1.10.8.zip ant-1.10.8.jar ant-antlr-1.10.8.jar ant-apache-bcel-1.10.8.jar ant-apache-bsf-1.10.8.jar ant-apache-log4j-1.10.8.jar ant-apache-oro-1.10.8.jar ant-apache-regexp-1.10.8.jar ant-apache-resolver-1.10.8.jar ant-apache-xalan2-1.10.8.jar ant-commons-logging-1.10.8.jar ant-commons-net-1.10.8.jar ant-jai-1.10.8.jar ant-javamail-1.10.8.jar ant-jdepend-1.10.8.jar ant-jmf-1.10.8.jar ant-jsch-1.10.8.jar ant-junit-1.10.8.jar ant-junit4-1.10.8.jar ant-launcher-1.10.8.jar ant-netrexx-1.10.8.jar ant-swing-1.10.8.jar ant-testutil-1.10.8.jar ant-xz-1.10.8.jar ./extide/o.apache.tools.ant.module/external/binaries-list:9A3E49630CAF4A67AD6188DC0D9C2D4C52CDF279 org.apache.ant:ant-apache-log4j:1.10.8 ./extide/o.apache.tools.ant.module/external/build.xml: <include name="ant-apache-log4j-1.10.8.jar" /> ./ide/html.validation/external/binaries-list:F0A0D2E29ED910808C33135A3A5A51BBA6358F7B log4j:log4j:1.2.15 ./ide/html.validation/external/log4j-1.2.15-license.txt:URL: http://logging.apache.org/log4j/ Binary file ./ide/html.validation/external/log4j-1.2.15.jar matches Binary file ./ide/html.validation/external/validator-20200626-patched.jar matches ./ide/html.validation/nbproject/project.properties:file.reference.log4j-1.2.15.jar=external/log4j-1.2.15.jar ./ide/html.validation/nbproject/project.properties:release.external/log4j-1.2.15.jar=modules/ext/log4j-1.2.15.jar ./ide/html.validation/nbproject/project.xml: <runtime-relative-path>ext/log4j-1.2.15.jar</runtime-relative-path> ./ide/html.validation/nbproject/project.xml: <binary-origin>external/log4j-1.2.15.jar</binary-origin> ./java/projectimport.eclipse.core/test/unit/data/71770.classpath: <classpathentry kind="lib" path="C:/MyProjects/JavaAPI/log4j-1.2.8.jar"/> /nbbuild/build/license-temp/LICENSE.txt:extide/ant/lib/ant-apache-log4j.jar Apache-2.0-ant ./nbbuild/build/license-temp/LICENSE.txt:ide/modules/ext/log4j-1.2.15.jar Apache-2.0 ./nbbuild/build/notice-temp: - Unnamed - log4j:log4j:jar:1.2.12 ./nbbuild/netbeans/extide/update_tracking/org-apache-tools-ant-module.xml: <file crc="3387204857" name="ant/lib/ant-apache-log4j.jar"/> Binary file ./nbbuild/netbeans/ide/modules/ext/log4j-1.2.15.jar matches ./nbbuild/netbeans/ide/update_tracking/org-netbeans-modules-html-validation.xml: <file crc="2197124025" name="modules/ext/log4j-1.2.15.jar"/> Binary file ./nbbuild/netbeans/java/modules/org-netbeans-modules-j2ee-persistence.jar matches ./nbbuild/netbeans/LICENSE:extide/ant/lib/ant-apache-log4j.jar Apache-2.0-ant ./nbbuild/netbeans/LICENSE:ide/modules/ext/log4j-1.2.15.jar Apache-2.0 ./nbbuild/netbeans/NOTICE: - Unnamed - log4j:log4j:jar:1.2.12 In short, I couldn't find any dependencies to log4j 2.x.x, unless I 'm missing something. In other words, NetBeans is secure by using old log4j versions. Best regards, JK.
