search

blazegraph / database

Blazegraph High Performance Graph Database
GNU General Public License v2.0
872 stars 170 forks source link

Upgrade log4j library #217

Closed rodrigobarnes closed 2 years ago

rodrigobarnes commented 2 years ago

The current build of blazegraph appears to use log4j 1.2.17 https://github.com/blazegraph/database/blob/3127706f0b6504838daae226b9158840d2df1744/build.properties#L65

With the risks in log4jshell vulnerability CVE-2021-44228 can this dependency be removed or upgraded?

beebs-systap commented 2 years ago

@rodrigobarnes According to https://nvd.nist.gov/vuln/detail/CVE-2021-44228 only Log4j2 versions are impacted. Log4j 1.x versions are not indicated in the CVE.

rodrigobarnes commented 2 years ago

@beebs-systap - thanks for picking this up - isn't there a concern that Log4j 1.x version have vulnerabilities? It went end of life in 2015 and includes at least one vuln: https://logging.apache.org/log4j/1.2/ (https://www.cvedetails.com/cve/CVE-2019-17571/)

thompsonbry commented 2 years ago

At this time it is believed to be safe. We are definitely watching the issue.

Bryan

On Wed, Dec 15, 2021 at 07:51 rodrigobarnes @.***> wrote:

@beebs-systap https://github.com/beebs-systap - thanks for picking this up - isn't there a concern that Log4j 1.x version have vulnerabilities?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/blazegraph/database/issues/217#issuecomment-994920795, or unsubscribe https://github.com/notifications/unsubscribe-auth/AATW7YFWLZRHXLAPD3MP6SDURC2PXANCNFSM5KD2MBKA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

rodrigobarnes commented 2 years ago

Hi @thompsonbry - thanks for the update. Not sure if I can help but happy to test any fixes/updates.

misilot commented 1 month ago

Hello, is there any chance this can be addressed? We are getting dinged for having this version installed.

There is a drop in replacement reload4j that is actively maintained that could possibly be used.

CVE-2019-17571, CVE-2020-9488, CVE-2022-23302, CVE-2022-23305, CVE-2022-23307, CVE-2023-26464