locked NVAccess Confirms: NVDA is NOT vulnerable to Log4j


Brian Moore
 

Hi.  So after a rather long fight, we got NVDA available for use at work.

This morning I got a question from the security folks about this one.

Log4Shell: How to detect the Log4j vulnerability in your applications | InfoWorld


I am fairly certain that NVDA is not impacted being written in python and not Java but it would be good to confirm if anyone knows for sure.


Thanks.

Brian.

-- 
Contact me on skype: brian.moore
follow me on twitter:
http://www.twitter.com/bmoore123


Devin Prater
 

NVDA is written in Python and C, with hooks, I assume written in Python or C, into the Java Access Bridge. Doesn't it come with the Java Access Bridge nowadays?
Devin Prater




On Mon, Dec 13, 2021 at 7:52 AM Brian Moore <bmoore@...> wrote:

Hi.  So after a rather long fight, we got NVDA available for use at work.

This morning I got a question from the security folks about this one.

Log4Shell: How to detect the Log4j vulnerability in your applications | InfoWorld


I am fairly certain that NVDA is not impacted being written in python and not Java but it would be good to confirm if anyone knows for sure.


Thanks.

Brian.

-- 
Contact me on skype: brian.moore
follow me on twitter:
http://www.twitter.com/bmoore123


 

Hi,

I believe this should have no (to minimal) impact on NVDA - although NVDA does interface with JAB (Java Access Bridge), it is limited to obtaining accessibility information provided by JAB.

Cheers,

Joseph


Quentin Christensen
 

Hi everyone,

Just confirming that while this vulnerability has caused quite a stir and a lot of worry in various circles.  NVDA itself and all of the surrounding architecture (such as our website, servers and so on) are not impacted, affected or vulnerable in this case.

I did have one email from a company this morning asking that same question - if that wasn't your company Brian and they still want to contact us to check, please they are most welcome to.

I did just put a note on our Corporate and Government page to the same effect: https://www.nvaccess.org/corporate-government/

Kind regards

Quentin.

On Tue, Dec 14, 2021 at 3:33 AM Joseph Lee <joseph.lee22590@...> wrote:

Hi,

I believe this should have no (to minimal) impact on NVDA - although NVDA does interface with JAB (Java Access Bridge), it is limited to obtaining accessibility information provided by JAB.

Cheers,

Joseph



--
Quentin Christensen
Training and Support Manager


 

I have just retitled this topic in the hopes that once web crawlers have indexed it under the new title, it will turn up for those trying to determine whether NVDA may be vulnerable.

Thanks to Quentin for the definitive answer and for posting same on the NVAccess site.
--

Brian - Windows 10, 64-Bit, Version 21H1, Build 19043  

Science has become just another voice in the room; it has lost its platform.  Now, you simply declare your own truth.

       ~ Dr. Paul A. Offit, in New York Times article, How Anti-Vaccine Sentiment Took Hold in the United States, September 23, 2019

 


Brian Moore
 

Hello Quentin.  Thanks for this. It is most helpful.

Brian.


Contact me on skype: brian.moore
follow me on twitter:
http://www.twitter.com/bmoore123
On 2021-12-13 7:37 p.m., Quentin Christensen wrote:

Hi everyone,

Just confirming that while this vulnerability has caused quite a stir and a lot of worry in various circles.  NVDA itself and all of the surrounding architecture (such as our website, servers and so on) are not impacted, affected or vulnerable in this case.

    I did have one email from a company this morning asking that same question - if that wasn't your company Brian and they still want to contact us to check, please they are most welcome to.

I did just put a note on our Corporate and Government page to the same effect: https://www.nvaccess.org/corporate-government/

Ki    nd regards

Quentin.

On Tue, Dec 14, 2021 at 3:33 AM Joseph Lee <joseph.lee22590@...> wrote:

Hi,

I believe this should have no (to minimal) impact on NVDA - although NVDA does interface with JAB (Java Access Bridge), it is limited to obtaining accessibility information provided by JAB.

Cheers,

Joseph



--
Quentin Christensen
Training and Support Manager


Sarah k Alawami
 

Is there a way to merge everything into this topic here? I should know that answer but my brain is tired right now.

 

Thanks for the statement Quenton though.

 

From: nvda@nvda.groups.io <nvda@nvda.groups.io> On Behalf Of Brian Vogel
Sent: Monday, December 13, 2021 4:45 PM
To: nvda@nvda.groups.io
Subject: Re: [nvda] NVAccess Confirms: NVDA is NOT vulnerable to Logj4

 

I have just retitled this topic in the hopes that once web crawlers have indexed it under the new title, it will turn up for those trying to determine whether NVDA may be vulnerable.

Thanks to Quentin for the definitive answer and for posting same on the NVAccess site.
--

Brian - Windows 10, 64-Bit, Version 21H1, Build 19043  

Science has become just another voice in the room; it has lost its platform.  Now, you simply declare your own truth.

       ~ Dr. Paul A. Offit, in New York Times article, How Anti-Vaccine Sentiment Took Hold in the United States, September 23, 2019

 


 

On Mon, Dec 13, 2021 at 08:14 PM, Sarah k Alawami wrote:
Is there a way to merge everything into this topic here?
-
What's to merge?  The original question was whether NVDA was vulnerable.  Quentin gave the short answer, no, with a direct link to the long answer on the NVAccess site, which I'll repeat again here:  https://www.nvaccess.org/corporate-government/ 

That's it.  All of it.
--

Brian - Windows 10, 64-Bit, Version 21H1, Build 19043  

Science has become just another voice in the room; it has lost its platform.  Now, you simply declare your own truth.

       ~ Dr. Paul A. Offit, in New York Times article, How Anti-Vaccine Sentiment Took Hold in the United States, September 23, 2019

 


Sarah k Alawami
 

Ah got yah. Ok, I was going to suggest merging everything, the whole conversation to be neat and tidy, but I’m very weird in that everything must have a place. I’ll go shove off now.

 

From: nvda@nvda.groups.io <nvda@nvda.groups.io> On Behalf Of Brian Vogel
Sent: Monday, December 13, 2021 5:28 PM
To: nvda@nvda.groups.io
Subject: Re: [nvda] NVAccess Confirms: NVDA is NOT vulnerable to Logj4

 

On Mon, Dec 13, 2021 at 08:14 PM, Sarah k Alawami wrote:

Is there a way to merge everything into this topic here?

-
What's to merge?  The original question was whether NVDA was vulnerable.  Quentin gave the short answer, no, with a direct link to the long answer on the NVAccess site, which I'll repeat again here:  https://www.nvaccess.org/corporate-government/ 

That's it.  All of it.
--

Brian - Windows 10, 64-Bit, Version 21H1, Build 19043  

Science has become just another voice in the room; it has lost its platform.  Now, you simply declare your own truth.

       ~ Dr. Paul A. Offit, in New York Times article, How Anti-Vaccine Sentiment Took Hold in the United States, September 23, 2019

 


Jason Bratcher
 

Java Access Bridge you must install yourself if memory serves me.

--
Jason Bratcher


Chris Mullins
 

Hi

That used to be the case but I think it comes with NVDA these days.

 

Cheers

Chris

 

Sent from Mail for Windows

 

From: Jason Bratcher
Sent: 14 December 2021 15:55
To: nvda@nvda.groups.io
Subject: Re: [nvda] Confirmation

 

Java Access Bridge you must install yourself if memory serves me.

 

--

Jason Bratcher

 

 

 

 

 

 


 
Edited

This topic will be locked after this post, but it does deserve a bump, as we've just received another question about NVDA and Log4j.

NVAccess has explicitly confirmed that NVDA is not vulnerable to Log4j, and that notice is posted here: https://www.nvaccess.org/corporate-government/ 
 
The notice, near the top of the page, and in italics, reads:  Note: We have had several questions regarding the Apache Log4j2 vulnerability, which is in the news currently. We can confirm that neither NVDA itself, nor the surrounding NV Access architecture (our website, servers, etc) are vulnerable or affected by this issue.
 
This is the definitive statement on NVDA and the fact that it is not vulnerable to Log4j.
--

Brian - Windows 10, 64-Bit, Version 21H2, Build 19044  

The real art of conversation is not only to say the right thing in the right place but to leave unsaid the wrong thing at the tempting moment.

        ~ Dorothy Nevill