Log4j security issues

[rombaum]

Dear OLS team, Dear @henrietteharmse, Dear @udp,

did you think there are any problems in context of the Log4j security issues for OLS? OLS is using an older version of Apache Solr. As far as I know that is a problem because Solr uses Log4j. That sounds for me it could be critical to use OLS.

So is there a way to upgrade or disable this functionality to get rid of the risk of this issue?

I'm looking forward,

Roman

[jamesamcl]

Hi, as far as we know this isn't an issue for OLS because:

• OLS itself uses Logback, not log4j
• We use Solr 3.5.x which uses Log4j 1.x, which is not affected (only Log4j 2.x)
• We use Neo4j 2.x, and only Neo4j 4.2+ are affected

[jamesamcl]

The Docker image uses Solr 5.3.x, which also seems to use Log4j 1.x:

[solr-5.3.0]$ find . | grep log4j
[..]
./server/lib/ext/log4j-1.2.17.jar
./server/lib/ext/slf4j-log4j12-1.7.7.jar
./licenses/log4j-1.2.17.jar.sha1
[..]

[rombaum]

Hi @udp

thank for your reply. First of all that sounds good. But I found this:

Log4j version 1.x is not directly vulnerable, because it does not offer a JNDI look up mechanism. However, Log4j 1.x comes with JMSAppender, which will perform a JNDI lookup if enabled in Log4j's configuration file (i.e., log4j.properties or log4j.xml). Thus, an attacker who can write to an application's Log4j configuration file can perform a remote code execution attack whenever Log4j 1.x reads its malicious configuration file. Source: https://www.technology.pitt.edu/content/additional-guidance-regarding-log4j-vulnerability

Is the JMSAppender disabled in OLS/OxO?

[jamesamcl]

an attacker who can write to an application's Log4j configuration file

If an attacker can write to your configuration files, you're toast anyway...