Bug 449822

Summary: Vurnability to CVE-2021-44228 in Apache Log4j framework
Product: [Applications] kdenlive Reporter: Danny Z <danny.zwaard>
Component: Setup & InstallationAssignee: Vincent PINON <vpinon>
Status: CLOSED FIXED    
Severity: normal    
Priority: NOR    
Version: 21.04.3   
Target Milestone: ---   
Platform: Microsoft Windows   
OS: Microsoft Windows   
Latest Commit: Version Fixed In:
Sentry Crash Report:
Bug Depends on:    
Bug Blocks: 450294    

Description Danny Z 2022-02-09 07:26:56 UTC 
SUMMARY
I work for the regional government "Region Kronoberg" (www.kronoberg.se) and in our healthcare organisation we your program KDenlive version 21.04.3 . 

Recently it became known that there is a vulnerability in the framework for JAVA called Apache Log4j. 
JAVA. Log4J is a log management framework that can be used in JAVA. 
We now examining all systems and software used in our organisation to see if these systems / software use Log4j. 

I would appriciate if the following questions can be answered: 
- Does your product Kdenlive version 21.04.3 contain the Log4J framework? 
- Is your product vulnerable to CVE-2021-44228? More information is available at: NVD - CVE-2021-44228 (nist.gov) 

If the answer on one of these questions is "Yes" answer even the following questions:
- how do you intend to deal with the vulnerability? 
- How should we act as a user? 
- If there is no resolution availble at this moment WHEN is will a resolution be released and WHAT do you suggest we do in the meantime? 

Since this is a serious vulnerability I hope to get an answer very soon.

With kind regards,
Danny Zwaard 


SOFTWARE/OS VERSIONS
Windows: 10 (Version 10.0.18363.2037)
Comment 1 Vincent PINON 2022-02-09 09:18:20 UTC 
Hello,
No worry we don't use java, so no vulnerability to log4j.
It's true we don't have manpower to track CVE for all the dependencies we rely on when building our binaries in KDE Craft (eg Qt, FFmpeg...)
Comment 2 Danny Z 2022-02-10 13:29:24 UTC 
Our IT dept was not fully satisfied with the answer given. According to them there is a risk that Java is used embedded in other programming languages and therefore a possiblilty that Log4j is used somewhere embedded.
They would like to get a statement that Kdenlive version 21.04.3 is NOT affected by vurnerabilities in Log4j (CVE-2021-44228).
Can you confirm this statement?