>From that, one way to mitigate the issue would be to uninstall the HTML editor.
Gj On Tue, Jan 4, 2022 at 4:31 PM Geertjan Wielenga < geertjan.wiele...@googlemail.com> wrote: > Here are the relevant places in the sources: > > > https://github.com/apache/netbeans/blob/master/ide/html.validation/external/binaries-list > > > https://github.com/apache/netbeans/blob/master/ide/html.validation/external/log4j-1.2.15-license.txt > > I don't see anywhere else, i.e., it's used in the HTML editor for > validation, looks like. > > Gj > > On Tue, Jan 4, 2022 at 4:24 PM Geertjan Wielenga < > geertjan.wiele...@googlemail.com> wrote: > >> Indeed, that's a different vulnerability and, indeed, we do need to >> upgrade to the latest release of log4j. >> >> Gj >> >> On Tue, Jan 4, 2022 at 4:21 PM Humphrey Clerx <hcl...@gmail.com> wrote: >> >>> Hi, >>> >>> The log4j2 security page also clearly states: >>> >>> "Please note that Log4j 1.x has reached End of Life in 2015 and is no >>> longer supported. Vulnerabilities reported after August 2015 against Log4j >>> 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2 >>> to obtain security fixes." >>> >>> And there is a security vulnerability present in log4j 1.x, >>> CVE-2019-17571 <https://www.cvedetails.com/cve/CVE-2019-17571/> that >>> might need addressing in NetBeans. This is stated on the following page: >>> >>> - https://logging.apache.org/log4j/1.2/ >>> >>> Greets, >>> Humphrey. >>> >>> On Tue, Jan 4, 2022 at 2:21 PM Geertjan Wielenga >>> <geertjan.wiele...@googlemail.com.invalid> wrote: >>> >>>> We've looked for "log4j" in the NetBeans 12.6 binaries, as follows: >>>> >>>> -- >>>> nb16$ find . -type f | grep -i log4j >>>> ./extide/ant/lib/ant-apache-log4j.jar >>>> ./ide/modules/ext/log4j-1.2.15.jar >>>> -- >>>> >>>> So, we ship "log41-1.2.15.jar" with the binaries and, quoting the official >>>> source [1]: >>>> >>>> "Log4j 1.x is not impacted by this vulnerability." >>>> >>>> (where "this vulnerability" means >>>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44832). >>>> >>>> Hope it helps, >>>> >>>> Gj >>>> >>>> [1] >>>> https://logging.apache.org/log4j/2.x/security.html >>>> >>>> On Mon, Jan 3, 2022 at 10:33 PM <ashley.ding...@wellsfargo.com.invalid> >>>> wrote: >>>> >>>>> Can the following questions be confirmed for NetBeans? >>>>> >>>>> >>>>> >>>>> 1. Which versions of your products utilize Log4j 1.x, if any? >>>>> >>>>> >>>>> >>>>> 1. Do they utilize the JMSAppender or SocketServer classes? >>>>> >>>>> >>>>> >>>>> 1. Do you have any mitigation options available for addressing >>>>> both CVE-2019-17571 and CVE-2021-4104? >>>>> >>>>> https://nvd.nist.gov/vuln/detail/CVE-2019-17571 >>>>> >>>>> https://nvd.nist.gov/vuln/detail/CVE-2021-4104 >>>>> >>>>> >>>>> >>>>> 1. Would it impact the product if we deleted both the >>>>> net/JMSAppender.class and net/SocketServer.class from the Log4j 1.x >>>>> JAR >>>>> itself? >>>>> >>>>> >>>>> >>>>> 1. Can you provide a roadmap of when you plan to move Log4j >>>>> version 2.15 or higher? >>>>> >>>>> >>>>> >>>>> Thanks, >>>>> >>>>> Ashley Dingman >>>>> >>>>> >>>>> >>>> >>> >>> -- >>> In the mountains of truth, you never climb in vain - Nietzsche >>> #------------------------------------------------------------- >>> \_O >>> ,__/> >>> <" >>> ' >>> >>