USEPA / EPA_MOVES_Model

Estimating emissions for mobile sources
Other
84 stars 23 forks source link

Remove Apache Log4j #38

Closed danielbizercox closed 2 years ago

danielbizercox commented 2 years ago

MOVES does not use this library, but its jar file is included in the libs directory anyway.

danielbizercox commented 2 years ago

EPA has become aware of a problem with a JAVA file that is included in all current versions of MOVES. MOVES does not actually use the file, but it is likely to be flagged as a security risk during IT security scans. To avoid this inconvenience, we recommend that you remove this file from your MOVES folders.

Versions of the jar file Log4j have been identified as a critical security risk. For more information, see https://nvd.nist.gov/vuln/detail/CVE-2019-17571. Because the file is not run by MOVES, there is no actual vulnerability with MOVES, but there is also no reason to keep the file. We will soon release a patch to MOVES3 (MOVES3.0.3) that removes this file and includes several other small fixes.

If you encounter security warnings about the Log4j file before MOVES3.0.3 is available, we recommend that you delete the file. It will be in the MOVES libs\poi directory. If you have installed MOVES3 in the default location, you will find it in C:\Users\Public\EPA\MOVES\MOVES3.0\libs\poi\. Simply open this folder in File Explorer and delete log4j-1.2.13.jar. There is no need to recompile MOVES.

Similarly, if you have older versions of MOVES installed (such as MOVES2014b), you can find the log4j-1.2.13.jar file in the libs\poi directory of those MOVES installation locations and delete the file there.