Re: Log4j vulnerability

[Alonso Del Arte]

On Fri, Dec 17, 2021 at 10:18 AM Jason Abreu  wrote:

> A cursory file search in my NetBeans 12.6 folder shows "log4j-1.2.15.jar"
> in the "netbeans\ide\modules\ext" path.
>
> The vulnerability only seems to be in log4j versions 2+ so I don't think
> there is anything to worry about with the NetBeans IDE, itself.
>
> - Jason
>
That seems to be the consensus on the Slack channel.

Also, as far as I can tell, NetBeans never generates Log4j calls into your
projects (it does add java.util.logging if you have it generate an
exception handler, but that's in the JDK rather than from a third party).

Al

Re: Log4j vulnerability

[Jason Abreu]

A cursory file search in my NetBeans 12.6 folder shows 
"log4j-1.2.15.jar" in the "netbeans\ide\modules\ext" path.


The vulnerability only seems to be in log4j versions 2+ so I don't think 
there is anything to worry about with the NetBeans IDE, itself.


- Jason


On 12/15/21 2:13 PM, Mike Hallan wrote:
Does Netbeans Platform at any level use Log4j? I was thinking maybe 
the logging module may, if not use it, then be based on it.


Are applications built on Netbeans Platform are in any way vulnerable 
to Log4j exploits as described at 
mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 ?


Thanks,
Mike

Re: Log4j vulnerability

[Carl Mosca]

Log4j-core

On Wed, Dec 15, 2021 at 7:07 PM Alonso Del Arte 
wrote:

> Excellent question. I hope not. I'll check if there's been any discussion
> in the Slack...
>
> On Wed, Dec 15, 2021 at 2:13 PM Mike Hallan 
> wrote:
>
>> Does Netbeans Platform at any level use Log4j? I was thinking maybe the
>> logging module may, if not use it, then be based on it.
>>
>> Are applications built on Netbeans Platform are in any way vulnerable to
>> Log4j exploits as described at
>> mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 ?
>>
>> Thanks,
>> Mike
>>
>
>
> --
> Alonso del Arte
> Author at SmashWords.com
> 
> Musician at ReverbNation.com 
>
-- 
Regards,
Carl

Re: Log4j vulnerability

[Scott Palmer]

Also consider if NetBeans Platform apps are likely to be in a situation where 
malicious input is possible to exploit the vulnerability in the first place. I 
suppose if the update centre or start page content were hacked it could be a 
vector to get malicious input into the NB logging. 

So the main concern is if log4j is used in the servers or if your platform app 
logs input from the wild. I think you also have to be running on an older JVM, 
don’t you?

Scott

> On Dec 15, 2021, at 7:06 PM, Alonso Del Arte  wrote:
> 
> 
> Excellent question. I hope not. I'll check if there's been any discussion in 
> the Slack...
> 
>> On Wed, Dec 15, 2021 at 2:13 PM Mike Hallan  
>> wrote:
>> Does Netbeans Platform at any level use Log4j? I was thinking maybe the 
>> logging module may, if not use it, then be based on it.
>> 
>> Are applications built on Netbeans Platform are in any way vulnerable to 
>> Log4j exploits as described at 
>> mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 ?
>> 
>> Thanks,
>> Mike
> 
> 

Re: Log4j vulnerability

[Alonso Del Arte]

Excellent question. I hope not. I'll check if there's been any discussion
in the Slack...

On Wed, Dec 15, 2021 at 2:13 PM Mike Hallan 
wrote:

> Does Netbeans Platform at any level use Log4j? I was thinking maybe the
> logging module may, if not use it, then be based on it.
>
> Are applications built on Netbeans Platform are in any way vulnerable to
> Log4j exploits as described at
> mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 ?
>
> Thanks,
> Mike
>


-- 
Alonso del Arte
Author at SmashWords.com

Musician at ReverbNation.com 

Log4j vulnerability

[Mike Hallan]

Does Netbeans Platform at any level use Log4j? I was thinking maybe the logging 
module may, if not use it, then be based on it.
Are applications built on Netbeans Platform are in any way vulnerable to Log4j 
exploits as described at mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 ?
Thanks,Mike