subject:"Log4j 1.x Vulnerabilities"

Re: Log4j 1.x Vulnerabilities

2022-01-04 Thread antonio


Hi all,

Quoting from the CVE details:

"to remotely execute arbitrary code when combined with a deserialization 
gadget when listening to untrusted network traffic for log data"


Apache NetBeans does not "listen to untrusted network traffic for log 
data", so it's not vulnerable.


Kind regards,
Antonio

El 4/1/22 a las 16:24, Humphrey Clerx escribió:
And there is a security vulnerability present in log4j 1.x, 
CVE-2019-17571  that 
might need addressing in NetBeans. This is stated on the following page:


  - https://logging.apache.org/log4j/1.2/ 





-
To unsubscribe, e-mail: users-unsubscr...@netbeans.apache.org
For additional commands, e-mail: users-h...@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

Re: Log4j 1.x Vulnerabilities

2022-01-04 Thread Geertjan Wielenga

>From that, one way to mitigate the issue would be to uninstall the HTML
editor.

Gj

On Tue, Jan 4, 2022 at 4:31 PM Geertjan Wielenga <
geertjan.wiele...@googlemail.com> wrote:

> Here are the relevant places in the sources:
>
>
> https://github.com/apache/netbeans/blob/master/ide/html.validation/external/binaries-list
>
>
> https://github.com/apache/netbeans/blob/master/ide/html.validation/external/log4j-1.2.15-license.txt
>
> I don't see anywhere else, i.e., it's used in the HTML editor for
> validation, looks like.
>
> Gj
>
> On Tue, Jan 4, 2022 at 4:24 PM Geertjan Wielenga <
> geertjan.wiele...@googlemail.com> wrote:
>
>> Indeed, that's a different vulnerability and, indeed, we do need to
>> upgrade to the latest release of log4j.
>>
>> Gj
>>
>> On Tue, Jan 4, 2022 at 4:21 PM Humphrey Clerx  wrote:
>>
>>> Hi,
>>>
>>> The log4j2 security page also clearly states:
>>>
>>> "Please note that Log4j 1.x has reached End of Life in 2015 and is no
>>> longer supported. Vulnerabilities reported after August 2015 against Log4j
>>> 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2
>>> to obtain security fixes."
>>>
>>> And there is a security vulnerability present in log4j 1.x,
>>> CVE-2019-17571  that
>>> might need addressing in NetBeans. This is stated on the following page:
>>>
>>>  - https://logging.apache.org/log4j/1.2/
>>>
>>> Greets,
>>> Humphrey.
>>>
>>> On Tue, Jan 4, 2022 at 2:21 PM Geertjan Wielenga
>>>  wrote:
>>>
 We've looked for "log4j" in the NetBeans 12.6 binaries, as follows:

 --
 nb16$ find . -type f | grep -i log4j
 ./extide/ant/lib/ant-apache-log4j.jar
 ./ide/modules/ext/log4j-1.2.15.jar
 --

 So, we ship "log41-1.2.15.jar" with the binaries and, quoting the official
 source [1]:

 "Log4j 1.x is not impacted by this vulnerability."

 (where "this vulnerability" means
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832).

 Hope it helps,

 Gj

 [1]
 https://logging.apache.org/log4j/2.x/security.html

 On Mon, Jan 3, 2022 at 10:33 PM 
 wrote:

> Can the following questions be confirmed for NetBeans?
>
>
>
>1. Which versions of your products utilize Log4j 1.x, if any?
>
>
>
>1. Do they utilize the JMSAppender or SocketServer classes?
>
>
>
>1. Do you have any mitigation options available for addressing
>both CVE-2019-17571 and CVE-2021-4104?
>
> https://nvd.nist.gov/vuln/detail/CVE-2019-17571
>
> https://nvd.nist.gov/vuln/detail/CVE-2021-4104
>
>
>
>1. Would it impact the product if we deleted both the
>   net/JMSAppender.class and net/SocketServer.class from the Log4j 1.x 
> JAR
>   itself?
>
>
>
>1. Can you provide a roadmap of when you plan to move Log4j
>version 2.15 or higher?
>
>
>
> Thanks,
>
> Ashley Dingman
>
>
>

>>>
>>> --
>>> In the mountains of truth, you never climb in vain - Nietzsche
>>> #-
>>>  \_O
>>> ,__/>
>>>   <"
>>>'
>>>
>>

Re: Log4j 1.x Vulnerabilities

2022-01-04 Thread Geertjan Wielenga

Here are the relevant places in the sources:

https://github.com/apache/netbeans/blob/master/ide/html.validation/external/binaries-list

https://github.com/apache/netbeans/blob/master/ide/html.validation/external/log4j-1.2.15-license.txt

I don't see anywhere else, i.e., it's used in the HTML editor for
validation, looks like.

Gj

On Tue, Jan 4, 2022 at 4:24 PM Geertjan Wielenga <
geertjan.wiele...@googlemail.com> wrote:

> Indeed, that's a different vulnerability and, indeed, we do need to
> upgrade to the latest release of log4j.
>
> Gj
>
> On Tue, Jan 4, 2022 at 4:21 PM Humphrey Clerx  wrote:
>
>> Hi,
>>
>> The log4j2 security page also clearly states:
>>
>> "Please note that Log4j 1.x has reached End of Life in 2015 and is no
>> longer supported. Vulnerabilities reported after August 2015 against Log4j
>> 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2
>> to obtain security fixes."
>>
>> And there is a security vulnerability present in log4j 1.x,
>> CVE-2019-17571  that
>> might need addressing in NetBeans. This is stated on the following page:
>>
>>  - https://logging.apache.org/log4j/1.2/
>>
>> Greets,
>> Humphrey.
>>
>> On Tue, Jan 4, 2022 at 2:21 PM Geertjan Wielenga
>>  wrote:
>>
>>> We've looked for "log4j" in the NetBeans 12.6 binaries, as follows:
>>>
>>> --
>>> nb16$ find . -type f | grep -i log4j
>>> ./extide/ant/lib/ant-apache-log4j.jar
>>> ./ide/modules/ext/log4j-1.2.15.jar
>>> --
>>>
>>> So, we ship "log41-1.2.15.jar" with the binaries and, quoting the official
>>> source [1]:
>>>
>>> "Log4j 1.x is not impacted by this vulnerability."
>>>
>>> (where "this vulnerability" means
>>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832).
>>>
>>> Hope it helps,
>>>
>>> Gj
>>>
>>> [1]
>>> https://logging.apache.org/log4j/2.x/security.html
>>>
>>> On Mon, Jan 3, 2022 at 10:33 PM 
>>> wrote:
>>>
 Can the following questions be confirmed for NetBeans?



1. Which versions of your products utilize Log4j 1.x, if any?



1. Do they utilize the JMSAppender or SocketServer classes?



1. Do you have any mitigation options available for addressing both
CVE-2019-17571 and CVE-2021-4104?

 https://nvd.nist.gov/vuln/detail/CVE-2019-17571

 https://nvd.nist.gov/vuln/detail/CVE-2021-4104



1. Would it impact the product if we deleted both the
   net/JMSAppender.class and net/SocketServer.class from the Log4j 1.x 
 JAR
   itself?



1. Can you provide a roadmap of when you plan to move Log4j version
2.15 or higher?



 Thanks,

 Ashley Dingman



>>>
>>
>> --
>> In the mountains of truth, you never climb in vain - Nietzsche
>> #-
>>  \_O
>> ,__/>
>>   <"
>>'
>>
>

Re: Log4j 1.x Vulnerabilities

2022-01-04 Thread Geertjan Wielenga

Indeed, that's a different vulnerability and, indeed, we do need to upgrade
to the latest release of log4j.

Gj

On Tue, Jan 4, 2022 at 4:21 PM Humphrey Clerx  wrote:

> Hi,
>
> The log4j2 security page also clearly states:
>
> "Please note that Log4j 1.x has reached End of Life in 2015 and is no
> longer supported. Vulnerabilities reported after August 2015 against Log4j
> 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2
> to obtain security fixes."
>
> And there is a security vulnerability present in log4j 1.x, CVE-2019-17571
>  that might need
> addressing in NetBeans. This is stated on the following page:
>
>  - https://logging.apache.org/log4j/1.2/
>
> Greets,
> Humphrey.
>
> On Tue, Jan 4, 2022 at 2:21 PM Geertjan Wielenga
>  wrote:
>
>> We've looked for "log4j" in the NetBeans 12.6 binaries, as follows:
>>
>> --
>> nb16$ find . -type f | grep -i log4j
>> ./extide/ant/lib/ant-apache-log4j.jar
>> ./ide/modules/ext/log4j-1.2.15.jar
>> --
>>
>> So, we ship "log41-1.2.15.jar" with the binaries and, quoting the official
>> source [1]:
>>
>> "Log4j 1.x is not impacted by this vulnerability."
>>
>> (where "this vulnerability" means
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832).
>>
>> Hope it helps,
>>
>> Gj
>>
>> [1]
>> https://logging.apache.org/log4j/2.x/security.html
>>
>> On Mon, Jan 3, 2022 at 10:33 PM 
>> wrote:
>>
>>> Can the following questions be confirmed for NetBeans?
>>>
>>>
>>>
>>>1. Which versions of your products utilize Log4j 1.x, if any?
>>>
>>>
>>>
>>>1. Do they utilize the JMSAppender or SocketServer classes?
>>>
>>>
>>>
>>>1. Do you have any mitigation options available for addressing both
>>>CVE-2019-17571 and CVE-2021-4104?
>>>
>>> https://nvd.nist.gov/vuln/detail/CVE-2019-17571
>>>
>>> https://nvd.nist.gov/vuln/detail/CVE-2021-4104
>>>
>>>
>>>
>>>1. Would it impact the product if we deleted both the
>>>   net/JMSAppender.class and net/SocketServer.class from the Log4j 1.x 
>>> JAR
>>>   itself?
>>>
>>>
>>>
>>>1. Can you provide a roadmap of when you plan to move Log4j version
>>>2.15 or higher?
>>>
>>>
>>>
>>> Thanks,
>>>
>>> Ashley Dingman
>>>
>>>
>>>
>>
>
> --
> In the mountains of truth, you never climb in vain - Nietzsche
> #-
>  \_O
> ,__/>
>   <"
>'
>

Re: Log4j 1.x Vulnerabilities

2022-01-04 Thread Humphrey Clerx

Hi,

The log4j2 security page also clearly states:

"Please note that Log4j 1.x has reached End of Life in 2015 and is no
longer supported. Vulnerabilities reported after August 2015 against Log4j
1.x were not checked and will not be fixed. Users should upgrade to Log4j 2
to obtain security fixes."

And there is a security vulnerability present in log4j 1.x, CVE-2019-17571
 that might need addressing
in NetBeans. This is stated on the following page:

 - https://logging.apache.org/log4j/1.2/

Greets,
Humphrey.

On Tue, Jan 4, 2022 at 2:21 PM Geertjan Wielenga
 wrote:

> We've looked for "log4j" in the NetBeans 12.6 binaries, as follows:
>
> --
> nb16$ find . -type f | grep -i log4j
> ./extide/ant/lib/ant-apache-log4j.jar
> ./ide/modules/ext/log4j-1.2.15.jar
> --
>
> So, we ship "log41-1.2.15.jar" with the binaries and, quoting the official
> source [1]:
>
> "Log4j 1.x is not impacted by this vulnerability."
>
> (where "this vulnerability" means
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832).
>
> Hope it helps,
>
> Gj
>
> [1]
> https://logging.apache.org/log4j/2.x/security.html
>
> On Mon, Jan 3, 2022 at 10:33 PM 
> wrote:
>
>> Can the following questions be confirmed for NetBeans?
>>
>>
>>
>>1. Which versions of your products utilize Log4j 1.x, if any?
>>
>>
>>
>>1. Do they utilize the JMSAppender or SocketServer classes?
>>
>>
>>
>>1. Do you have any mitigation options available for addressing both
>>CVE-2019-17571 and CVE-2021-4104?
>>
>> https://nvd.nist.gov/vuln/detail/CVE-2019-17571
>>
>> https://nvd.nist.gov/vuln/detail/CVE-2021-4104
>>
>>
>>
>>1. Would it impact the product if we deleted both the
>>   net/JMSAppender.class and net/SocketServer.class from the Log4j 1.x JAR
>>   itself?
>>
>>
>>
>>1. Can you provide a roadmap of when you plan to move Log4j version
>>2.15 or higher?
>>
>>
>>
>> Thanks,
>>
>> Ashley Dingman
>>
>>
>>
>

-- 
In the mountains of truth, you never climb in vain - Nietzsche
#-
 \_O
,__/>
  <"
   '

Re: Log4j 1.x Vulnerabilities

2022-01-04 Thread Geertjan Wielenga

We've looked for "log4j" in the NetBeans 12.6 binaries, as follows:

--
nb16$ find . -type f | grep -i log4j
./extide/ant/lib/ant-apache-log4j.jar
./ide/modules/ext/log4j-1.2.15.jar
--

So, we ship "log41-1.2.15.jar" with the binaries and, quoting the official
source [1]:

"Log4j 1.x is not impacted by this vulnerability."

(where "this vulnerability" means
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832).

Hope it helps,

Gj

[1]
https://logging.apache.org/log4j/2.x/security.html

On Mon, Jan 3, 2022 at 10:33 PM 
wrote:

> Can the following questions be confirmed for NetBeans?
>
>
>
>1. Which versions of your products utilize Log4j 1.x, if any?
>
>
>
>1. Do they utilize the JMSAppender or SocketServer classes?
>
>
>
>1. Do you have any mitigation options available for addressing both
>CVE-2019-17571 and CVE-2021-4104?
>
> https://nvd.nist.gov/vuln/detail/CVE-2019-17571
>
> https://nvd.nist.gov/vuln/detail/CVE-2021-4104
>
>
>
>1. Would it impact the product if we deleted both the
>   net/JMSAppender.class and net/SocketServer.class from the Log4j 1.x JAR
>   itself?
>
>
>
>1. Can you provide a roadmap of when you plan to move Log4j version
>2.15 or higher?
>
>
>
> Thanks,
>
> Ashley Dingman
>
>
>

Log4j 1.x Vulnerabilities

2022-01-03 Thread Ashley.Dingman

Can the following questions be confirmed for NetBeans?


  1.  Which versions of your products utilize Log4j 1.x, if any?


  1.  Do they utilize the JMSAppender or SocketServer classes?


  1.  Do you have any mitigation options available for addressing both 
CVE-2019-17571 and CVE-2021-4104?
https://nvd.nist.gov/vuln/detail/CVE-2019-17571
https://nvd.nist.gov/vuln/detail/CVE-2021-4104


 *   Would it impact the product if we deleted both the 
net/JMSAppender.class and net/SocketServer.class from the Log4j 1.x JAR itself?


  1.  Can you provide a roadmap of when you plan to move Log4j version 2.15 or 
higher?

Thanks,
Ashley Dingman

Re: Log4j 1.x Vulnerabilities

Re: Log4j 1.x Vulnerabilities

Re: Log4j 1.x Vulnerabilities

Re: Log4j 1.x Vulnerabilities

Re: Log4j 1.x Vulnerabilities

Re: Log4j 1.x Vulnerabilities

Log4j 1.x Vulnerabilities

7 matches

Site Navigation

Mail list logo

Footer information