search

broadinstitute / cromwell

Scientific workflow engine designed for simplicity & scalability. Trivially transition between one off use cases to massive scale production environments
http://cromwell.readthedocs.io/
BSD 3-Clause "New" or "Revised" License
1k stars 359 forks source link

Is Cromwell affected by log4shell ? #6588

Open ynedelec opened 2 years ago

ynedelec commented 2 years ago

A simple grep through the source code reveals several hits with Log4j:

CromwellRefdiskManifestCreator/pom.xml:            <groupId>org.apache.logging.log4j</groupId>
CromwellRefdiskManifestCreator/pom.xml:            <artifactId>log4j-core</artifactId>
CromwellRefdiskManifestCreator/pom.xml:            <groupId>org.apache.logging.log4j</groupId>
CromwellRefdiskManifestCreator/pom.xml:            <artifactId>log4j-api</artifactId>
CromwellRefdiskManifestCreator/src/main/java/org/broadinstitute/manifestcreator/CromwellRefdiskManifestCreatorApp.java:import org.apache.logging.log4j.Level;
CromwellRefdiskManifestCreator/src/main/java/org/broadinstitute/manifestcreator/CromwellRefdiskManifestCreatorApp.java:import org.apache.logging.log4j.LogManager;
CromwellRefdiskManifestCreator/src/main/java/org/broadinstitute/manifestcreator/CromwellRefdiskManifestCreatorApp.java:import org.apache.logging.log4j.Logger;
CromwellRefdiskManifestCreator/src/main/java/org/broadinstitute/manifestcreator/CromwellRefdiskManifestCreatorApp.java:import org.apache.logging.log4j.core.config.Configurator;
project/Dependencies.scala:    // Replace all log4j usage with slf4j
project/Dependencies.scala:    // https://www.slf4j.org/legacy.html#log4j-over-slf4j
project/Dependencies.scala:    "org.slf4j" % "log4j-over-slf4j" % slf4jV

I wasn't able to expose a vulnerability by using malicious code but my test is probably not extensive. It looks like this lib is used in a packaging tool of Cromwell so probably not executed during production. On the other hand, slj4j seems to be used everywere. Is that abstraction layer vulnerable ?

Could you please let us know if you believe Cromwell is affected by Log4shell ?

Thanks,

trum994 commented 2 years ago

I have the same question.

natechols commented 2 years ago

I am dealing with this problem too, this page might be helpful: http://slf4j.org/log4shell.html

aednichols commented 2 years ago

Cromwell may be vulnerable in certain configurations. This is being looked into.

We recommend the immediate remedy of disabling the vulerable feature of Log4j:

‐Dlog4j2.formatMsgNoLookups=True

Source.

aednichols commented 2 years ago

Cromwell itself does not use Log4j.

This can be verified by executing sbt dependencyTree and noting that all instances of "log4j" occur in org.slf4j:log4j-over-slf4j which is a Log4j compatibility bridge from a different project.

The utility tool CromwellRefdiskManifestCreator is written in Java and does use Log4j. It is not included in the Cromwell JAR. It is being updated presently.

aednichols commented 2 years ago

We redundantly re-verified the absence of the problem class [0] by unzipping the shipping Cromwell JAR and manually checking that the path is empty.

[0] org/apache/logging/log4j/core/lookup/JndiLookup.class