Is RDF4J vulnerable to the new log4j exploit? #3503
-
|
I know that we don't use log4j, but we do use the log4j over slf4j adapter. Is log4j used by any of our dependencies? |
Beta Was this translation helpful? Give feedback.
Replies: 4 comments 8 replies
-
|
By elasticsearch I think (might be compliance test only)... I've just seen a warning from dependabot
Best regards,
Bart
…________________________________
From: hmottestad ***@***.***>
Sent: Friday, December 10, 2021 9:50
To: eclipse/rdf4j ***@***.***>
Cc: Subscribed ***@***.***>
Subject: [eclipse/rdf4j] Is RDF4J vulnerable to the new log4j exploit (Discussion #3503)
I know that we don't use log4j, but we do use the log4j over slf4j adapter.
Is log4j used by any of our dependencies?
https://www.lunasec.io/docs/blog/log4j-zero-day/
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub<#3503>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAOHUPJWVMWIWAEE7TI4HFTUQG5MNANCNFSM5JYSSKAQ>.
Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
Beta Was this translation helpful? Give feedback.
-
|
Indeed, used in https://github.com/eclipse/rdf4j/blob/main/compliance/elasticsearch/pom.xml
I'll create a github ticket for it.
Bart
…________________________________
From: Bart Hanssens (BOSA) ***@***.***>
Sent: Friday, December 10, 2021 10:11
To: eclipse/rdf4j ***@***.***>
Subject: Re: [eclipse/rdf4j] Is RDF4J vulnerable to the new log4j exploit (Discussion #3503)
By elasticsearch I think (might be compliance test only)... I've just seen a warning from dependabot
Best regards,
Bart
________________________________
From: hmottestad ***@***.***>
Sent: Friday, December 10, 2021 9:50
To: eclipse/rdf4j ***@***.***>
Cc: Subscribed ***@***.***>
Subject: [eclipse/rdf4j] Is RDF4J vulnerable to the new log4j exploit (Discussion #3503)
I know that we don't use log4j, but we do use the log4j over slf4j adapter.
Is log4j used by any of our dependencies?
https://www.lunasec.io/docs/blog/log4j-zero-day/
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub<#3503>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAOHUPJWVMWIWAEE7TI4HFTUQG5MNANCNFSM5JYSSKAQ>.
Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
Beta Was this translation helpful? Give feedback.
-
|
To clarify for users of RDF4J: RDF4J as a framework is logger-agnostic (using SLF4J), so for RDF4J users this will not require a version update of their RDF4J dependencies. Reading the CVE, it is only the log4j-core library that is affected. The log4j-over-slf4j adapter is maintained by the SLF4J project and is not affected by this vulnerability. In summary:
The only places log4j-core is referenced in our code base is as test-only dependencies for the elasticsearch, solr, and lucene modules. We are fixing those (thanks for the quick reaction @barthanssens !). However, those test dependencies are not distributed as releases and will not affect normal usage of RDF4J. |
Beta Was this translation helpful? Give feedback.
-
|
Seems that log4j is in use in the SolrSail at least. Command: |
Beta Was this translation helpful? Give feedback.
-
|
Hmz, can't find log4j-core in the 3.7.x / 4.0.0-M1 SDKs lib directory, nor in the war WEB-INF's or OSGI... but please double/triple-check :-) (nor a log4j-over-slf4j adapter for that matter, so I'm wondering if logging without adding additional dependencies actually works for Solr/ES sails, we do include logback-core - which isn't affected) |
Beta Was this translation helpful? Give feedback.
-
|
This log4j-core dependency comes transitively through solr-core. Luckily, solr-core itself is an optional dependency, which means we don't distribute it. This is why it doesn't show up in the SDK zip, despite being a compile-time dependency. So we're good, with respect to not needing a patch release. We do need to fix the pom in sail-solr, and make sure log4j-core is explicitly excluded. |
Beta Was this translation helpful? Give feedback.
-
|
Minor followup: it appears the fix in log4j-core 2.15.0 was incomplete, and another patch release has been done: 2.16.0 (see also dependabot PR at #3513). I've reopened #3504 to address this (and we can tackle the exclusion in sail-solr while we're at it, hopefully). |
Beta Was this translation helpful? Give feedback.
-
|
To a lesser extent logback-core might be vulnerable (one has to have write access to the config file), https://jira.qos.ch/browse/LOGBACK-1591 |
Beta Was this translation helpful? Give feedback.
-
|
The logback one is fairly low severity. You need both write access to the config file and access to force a reload of the config file into logback. With log4j the attacker just needed to trigger that user input was logged. |
Beta Was this translation helpful? Give feedback.
To clarify for users of RDF4J:
RDF4J as a framework is logger-agnostic (using SLF4J), so for RDF4J users this will not require a version update of their RDF4J dependencies. Reading the CVE, it is only the log4j-core library that is affected. The log4j-over-slf4j adapter is maintained by the SLF4J project and is not affected by this vulnerability.
In summary: