[GH-ISSUE #116] Log4Shell (CVE-2021-44228) Status in NTify.jar? #91

New issue

Open

opened 2026-02-28 14:39:38 +03:00 by kerem · 2 comments

kerem commented

2026-02-28 14:39:38 +03:00

Owner

Originally created by @WindowsXPSE on GitHub (Feb 17, 2026).
Original GitHub issue: https://github.com/NTifyApp/NTify/issues/116

Describe the bug
This is not a bug in NTify itself, but a general security concern for users running NTify on Windows XP. Many users (especially on old systems like XP) are still using potentially vulnerable or outdated Java 8 installations. The famous Log4Shell vulnerability (CVE-2021-44228) in Apache Log4j 2.x (versions ≤2.14.1) affected a huge number of Java applications in 2021–2022. Even though NTify might not directly bundle a vulnerable Log4j (I couldn't find any log4j-core.jar in the JAR via 7-Zip check), users could still be at risk if their Java runtime or other dependencies introduce it indirectly, or if future updates add logging that uses vulnerable libs. Adding a clear recommendation in the README would help protect XP users from running unsafe Java versions.

Security note for Windows XP users:
Use a recent and XP-compatible Java 8 build to avoid known vulnerabilities like Log4Shell (CVE-2021-44228 – details: https://nvd.nist.gov/vuln/detail/CVE-2021-44228).
The currently best option I know is ojdkbuild OpenJDK 8 (e.g. 1.8.0.332 or newer XP-patched builds): https://github.com/ojdkbuild/ojdkbuild
Even these builds do not include Log4j themselves (it's an app-level dep), but a safe base JDK reduces overall risk. Match architecture (x86) with your VLC install.

This would guide users away from downloading random/old/vulnerable Java installers from shady sites. Many XP users aren't aware of the risks anymore.

Originally created by @WindowsXPSE on GitHub (Feb 17, 2026). Original GitHub issue: https://github.com/NTifyApp/NTify/issues/116 **Describe the bug** This is not a bug in NTify itself, but a general security concern for users running NTify on Windows XP. Many users (especially on old systems like XP) are still using potentially vulnerable or outdated Java 8 installations. The famous Log4Shell vulnerability (CVE-2021-44228) in Apache Log4j 2.x (versions ≤2.14.1) affected a huge number of Java applications in 2021–2022. Even though NTify might not directly bundle a vulnerable Log4j (I couldn't find any log4j-core.jar in the JAR via 7-Zip check), users could still be at risk if their Java runtime or other dependencies introduce it indirectly, or if future updates add logging that uses vulnerable libs. Adding a clear recommendation in the README would help protect XP users from running unsafe Java versions. > **Security note for Windows XP users:** > Use a recent and XP-compatible Java 8 build to avoid known vulnerabilities like Log4Shell (CVE-2021-44228 – details: https://nvd.nist.gov/vuln/detail/CVE-2021-44228). > The currently best option I know is ojdkbuild OpenJDK 8 (e.g. 1.8.0.332 or newer XP-patched builds): https://github.com/ojdkbuild/ojdkbuild > Even these builds do **not** include Log4j themselves (it's an app-level dep), but a safe base JDK reduces overall risk. Match architecture (x86) with your VLC install. This would guide users away from downloading random/old/vulnerable Java installers from shady sites. Many XP users aren't aware of the risks anymore.

kerem added the

bug

label

2026-02-28 14:39:38 +03:00

kerem commented

2026-02-28 14:39:38 +03:00

Author

Owner

@werwolf2303 commented on GitHub (Feb 18, 2026):

I have looked into it and can say to 100% that NTify was never vulnerable to log4j because it uses slf4j and a custom logging implementation.

For the jdk itself I can't recommend using OpenJDK because it is at the implementation part a little bit different than Oracle JDK which renders the application unstable in some cases. h

What I can look into to is if the application has other exploitable vulnerabilities and upgrade them if possible or mention them in the README if not.

Thanks for bringing this up tho, I don't want to cause more vulnerabilities on an XP system

@werwolf2303 commented on GitHub (Feb 18, 2026): I have looked into it and can say to 100% that NTify was never vulnerable to log4j because it uses slf4j and a custom logging implementation. For the jdk itself I can't recommend using OpenJDK because it is at the implementation part a little bit different than Oracle JDK which renders the application unstable in some cases. h What I can look into to is if the application has other exploitable vulnerabilities and upgrade them if possible or mention them in the README if not. Thanks for bringing this up tho, I don't want to cause more vulnerabilities on an XP system

kerem commented

2026-02-28 14:39:38 +03:00

Author

Owner

@theanthonydavenport commented on GitHub (Feb 26, 2026):

Well said.

@theanthonydavenport commented on GitHub (Feb 26, 2026): Well said.