JDownloader Community - Appwork GmbH
 

Reply
 
Thread Tools Display Modes
  #1  
Old 13.12.2021, 11:39
coalado's Avatar
coalado coalado is offline
JD Manager
 
Join Date: Feb 2009
Posts: 1,985
Default CVE-2021-44228, log4j, JDownloader is NOT affected

CVE-2021-44228, log4j, JDownloader is NOT affected

We just want to let you know that neither JDownloader nor any other of our projects make use of log4j and thus are not affected by this security vulnerability.

Edit: 15.12.2021
Due to a question on Reddit, we would like to get a bit more into detail:

Neither JDownloader itself nor its libraries/dependencies use or contain log4j. This includes all executable code in
- JDownloader.jar
- Core.jar
- All dependencies in the /libs/ folder
- All extensions in the /extensions/ folder
- All plugins in jd/plugins/ folders

If you want to get sure:
Executable code is stored in *.jar files ( And the plugin folders)
You can open these jar files with any ZIP extractor. As long as you don't find any strings or files that start with/contain org.apache.log4j or org.apache.logging.log4j we are fine.
__________________

Last edited by Jiaz; 15.12.2021 at 14:31.
Reply With Quote
  #2  
Old 13.12.2021, 12:49
raztoki's Avatar
raztoki raztoki is offline
English Supporter
 
Join Date: Apr 2010
Location: Australia
Posts: 17,460
Default

1984 was such a great year =]
__________________
raztoki @ jDownloader reporter/developer
http://svn.jdownloader.org/users/170

Don't fight the system, use it to your advantage. :]
Reply With Quote
  #3  
Old 14.12.2021, 19:25
Tedolly Tedolly is offline
Linkgrabbing Monster
 
Join Date: Dec 2015
Posts: 85
Default

(sorry, bad english)

JDownloader\jre\lib\resources.jar

In this JAR-file are some Strings with "log4j".

JCEAlias CDATA #IMPLIED ><!ELEMENT Log4J EMPTY><!ATTLIST Log4J configFile CDATA 'data/log4j.xml' >

But after unpack with WinRAR, there are NO log4j-files in the resources-folder.

I dont know the format of JARs and I dont know Java.
Any problem because the strings "log4j" in resources.jar?
Reply With Quote
  #4  
Old 15.12.2021, 10:53
coalado's Avatar
coalado coalado is offline
JD Manager
 
Join Date: Feb 2009
Posts: 1,985
Default

Quote:
Originally Posted by Tedolly View Post
I dont know the format of JARs and I dont know Java.
Any problem because the strings "log4j" in resources.jar?
Thanks a lot for this finding! But no, that's not a problem at all. You refer to resources.jar/com/sun/org/apache/xml/internal/security/resource/config.dtd. This is not executable code, just a type definition for the XML parser.


About Jar-files: See the first post
__________________

Last edited by coalado; 15.12.2021 at 11:07.
Reply With Quote
  #5  
Old 15.12.2021, 21:44
Tedolly Tedolly is offline
Linkgrabbing Monster
 
Join Date: Dec 2015
Posts: 85
Default

Very fine !
Reply With Quote
  #6  
Old 16.12.2021, 21:15
Carmageddon Carmageddon is offline
Modem User
 
Join Date: Nov 2017
Posts: 3
Default

Thanks for the answers. But is the Java Version "Java SE Embedded 8" Version 1.8.0_211-0050 installed on my Synology for JDownloader affected?
Thanks a lot!
Reply With Quote
  #7  
Old 17.12.2021, 09:44
Jiaz's Avatar
Jiaz Jiaz is offline
JD Manager
 
Join Date: Mar 2009
Location: Germany
Posts: 77,851
Default

@Carmageddon: The issue is about the log4j library and its usages as dependency in applications and not about any java version.
__________________
JD-Dev & Server-Admin
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

All times are GMT +2. The time now is 07:07.
Provided By AppWork GmbH | Privacy | Imprint
Parts of the Design are used from Kirsch designed by Andrew & Austin
Powered by vBulletin® Version 3.8.10 Beta 1
Copyright ©2000 - 2022, Jelsoft Enterprises Ltd.