Support newer versions of OpenJDK 8

[francis-a]

Hello everyone,

As part of addressing the recent log4j zero day we would also like to upgrade our version of OpenJDK to something > 8u191.

Unfortunately it looks like the current version of Boxfuse only supports a max version of 8u162.

Would it be possible to support newer versions of OpenJDK 8?

[axelfontaine]

Log4J 2.15.0 is out now, which fixes the issue.

For older Log4J2 versions you can also work around the issue by setting the JVM system property log4j2.formatMsgNoLookups=true to true.

What is currently holding you back from being able to move to OpenJDK 11 or 17 instead?

[francis-a]

Migrating to OpenJDK 11 or 17 is the long term plan but with support ongoing for JDK 8 we haven't undertaken this work.

Upgrading to Log4J 2.15.0 is only possible in some cases since it turns out this issue also impacts log4j 1.x. This issue is also compounded by the pervasive usage of log4j-over-slf4j across many libraries. There is no Log4J 2.x version of this library available.

[axelfontaine]

Setting the JVM system property com.sun.jndi.ldap.object.trustURLCodebase to false also disables the exploit vector without needing any library or JVM upgrades. Would that work for you?

[francis-a]

Yeah we will set this flag as well but it's still unclear (to me at least right now) if this will fully mitigate the issue. There could be other vectors that work without ldap.

[axelfontaine]

As far as I understand it from the various articles and presentations available online, the new default value false for this property is the only material improvement in OpenJDK 8u191 and newer regarding the exploitability of this issue. All other potential issues seem to be outside the JDK. Or did I miss something?

[francis-a]

yeah, from what I can tell reading again I think you're right. At least I can't find anything otherwise right now.

[axelfontaine]

OK, let's keep an eye on this. Ping me if anything else comes up and we'll see what needs to be done.

[axelfontaine]

One more thing: 8u162 already contains the safe defaults as those were changed to false in 8u121.