Hi
The link provided by Seth is the best source of information. I will summarize a few of the points.
I would also like to note that log4j will not be used in the next release of NetLogo.
I don’t think you can simply drop in a different version of log4j.
The use of log4j by NetLogo does not open the user to the recent major vulnerabilities for a number of reasons.
The vid extension does make use of a more recent version of log4j. This should still not cause a security risk. However you can delete the app\extensions\.bundled\vid\ folder or just remove those log4j jar files from it. It'll stop the vid extension from working, but the rest of NetLogo should be fine
It is also easy to remove this extension from within NetLogo. In NetLogo click on the Tools -> Extensions menu item. Then scroll to the Vid extension (or type Vid in the search bar) and click on the Vid entry. There will be an option in the right hand column to uninstall the extensions.
Please let us know if you have any further questions.
Aaron
--
Aaron Brandes, Software Developer
Center for Connected Learning and Computer-Based Modeling
From: <netlog...@googlegroups.com> on behalf of Seth Tisue <se...@tisue.net>
Date: Saturday, June 25, 2022 at 6:59 PM
To: netlogo-devel <netlog...@googlegroups.com>
Subject: [netlogo-devel] Re: log4j
see discussion at https://github.com/NetLogo/NetLogo/issues/2001
--
You received this message because you are subscribed to the Google Groups "netlogo-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
netlogo-deve...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/netlogo-devel/fee861ed-d904-4895-9b14-eb60375c02edn%40googlegroups.com.