search

dgarijo / Widoco

Wizard for documenting ontologies. WIDOCO is a step by step generator of HTML templates with the documentation of your ontology. It uses the LODE environment to create part of the template.
Apache License 2.0
293 stars 88 forks source link

Log4J upgrade to V.2.16.0 #488

Open DiegoMusmarra opened 2 years ago

DiegoMusmarra commented 2 years ago

Hi, a few days ago has been noticed a vulnerability in Log4J for versions from 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 as you can see here: https://logging.apache.org/log4j/2.x/security.html In this update page we can notice that "only the log4j-core JAR file is impacted by this vulnerability. Applications using only the log4j-api JAR file without the log4j-core JAR file are not impacted by this vulnerability.", so can you please verify if the Log4J files used by Widoco are affected by this vulnerability and eventually update them to latest version?

Thank you.

dgarijo commented 2 years ago

Hello, Widoco does not use log4j anywhere in code. It only uses slf4j (I have to figure out why the JAR is added). Widoco is also a standalone application, and as far as I know the vulnerability affects only server-based applications.

I suggest you try and remove the log4j files from the jar and give it a go. I tried that and functionality is not affected.

DiegoMusmarra commented 2 years ago

Oh, well, I'll try it and I'll let you know, thank you very much!

Da: Daniel Garijo @.***> Inviato: giovedì 16 dicembre 2021, 18:21 A: dgarijo/Widoco Cc: Diego Musmarra; Author Oggetto: Re: [dgarijo/Widoco] Log4J upgrade to V.2.16.0 (Issue #488)

Hello, Widoco does not use log4j anywhere in code. It only uses slf4j (I have to figure out why the JAR is added). Widoco is also a standalone application, and as far as I know the vulnerability affects only server-based applications.

I suggest you try and remove the log4j files from the jar and give it a go. I tried that and functionality is not affected.

— Reply to this email directly, view it on GitHubhttps://github.com/dgarijo/Widoco/issues/488#issuecomment-996022204, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AVNNOI7KROTPLPBUZD7JXE3URIN3BANCNFSM5KG254DQ. Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub. You are receiving this because you authored the thread.Message ID: @.***>

weissjoh commented 2 years ago

@dgarijo the issue is not only relevant for server-based applications. Server-based applications are more easier to attack. However, even in standalone applications it is possible to do an attack. Imagine one is passing an ontology to WiDoCo which contains malicious statements which causes a log statement to be logged by log4j. In this case potentially code can be loaded from a remote server.

So the difference is that the initial starting point of an attack is different. But still it is a relevant issue.

It would be great if either WiDoCo is removing log4j at all (if not required) or to patch to latest version of log4j (at least 2.16).

dgarijo commented 2 years ago

@weissjoh, that's the thing, there are no logging messages in Widoco using log4j because I replaced it with slf4j long time ago. Suggestions are welcome to make the log4j components removed from the main JAR, although I think there is no impact.