Hi all,
Quoting from the CVE details:
"to remotely execute arbitrary code when combined with a deserialization
gadget when listening to untrusted network traffic for log data"
Apache NetBeans does not "listen to untrusted network traffic for log
data", so it's not vulnerable.
Kind
>From that, one way to mitigate the issue would be to uninstall the HTML
editor.
Gj
On Tue, Jan 4, 2022 at 4:31 PM Geertjan Wielenga <
geertjan.wiele...@googlemail.com> wrote:
> Here are the relevant places in the sources:
>
>
>
Here are the relevant places in the sources:
https://github.com/apache/netbeans/blob/master/ide/html.validation/external/binaries-list
https://github.com/apache/netbeans/blob/master/ide/html.validation/external/log4j-1.2.15-license.txt
I don't see anywhere else, i.e., it's used in the HTML
Indeed, that's a different vulnerability and, indeed, we do need to upgrade
to the latest release of log4j.
Gj
On Tue, Jan 4, 2022 at 4:21 PM Humphrey Clerx wrote:
> Hi,
>
> The log4j2 security page also clearly states:
>
> "Please note that Log4j 1.x has reached End of Life in 2015 and is no
Hi,
The log4j2 security page also clearly states:
"Please note that Log4j 1.x has reached End of Life in 2015 and is no
longer supported. Vulnerabilities reported after August 2015 against Log4j
1.x were not checked and will not be fixed. Users should upgrade to Log4j 2
to obtain security
We've looked for "log4j" in the NetBeans 12.6 binaries, as follows:
--
nb16$ find . -type f | grep -i log4j
./extide/ant/lib/ant-apache-log4j.jar
./ide/modules/ext/log4j-1.2.15.jar
--
So, we ship "log41-1.2.15.jar" with the binaries and, quoting the official
source [1]:
"Log4j 1.x is not
Can the following questions be confirmed for NetBeans?
1. Which versions of your products utilize Log4j 1.x, if any?
1. Do they utilize the JMSAppender or SocketServer classes?
1. Do you have any mitigation options available for addressing both
CVE-2019-17571 and CVE-2021-4104?