Security framework of XStream not initialized, XStream is probably vulnerable.

[ainsofs]

The following message appears in the logs when using docker image of IPT v2.5.1

Security framework of XStream not initialized, XStream is probably vulnerable.

## Full log
10-Nov-2021 01:48:53.830 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version name:   Apache Tomcat/8.5.71
10-Nov-2021 01:48:53.836 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server built:          Sep 9 2021 18:43:14 UTC
10-Nov-2021 01:48:53.837 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version number: 8.5.71.0
10-Nov-2021 01:48:53.837 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Name:               Linux
10-Nov-2021 01:48:53.838 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Version:            4.4.0-1128-aws
10-Nov-2021 01:48:53.840 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Architecture:          amd64
10-Nov-2021 01:48:53.840 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Java Home:             /usr/local/openjdk-8/jre
10-Nov-2021 01:48:53.841 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Version:           1.8.0_302-b08
10-Nov-2021 01:48:53.841 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor:            Oracle Corporation
10-Nov-2021 01:48:53.842 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE:         /usr/local/tomcat
10-Nov-2021 01:48:53.843 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME:         /usr/local/tomcat
10-Nov-2021 01:48:53.844 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties
10-Nov-2021 01:48:53.844 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
10-Nov-2021 01:48:53.845 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djdk.tls.ephemeralDHKeySize=2048
10-Nov-2021 01:48:53.846 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.protocol.handler.pkgs=org.apache.catalina.webresources
10-Nov-2021 01:48:53.846 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dorg.apache.catalina.security.SecurityListener.UMASK=0027
10-Nov-2021 01:48:53.847 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dignore.endorsed.dirs=
10-Nov-2021 01:48:53.851 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=/usr/local/tomcat
10-Nov-2021 01:48:53.856 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=/usr/local/tomcat
10-Nov-2021 01:48:53.856 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.io.tmpdir=/usr/local/tomcat/temp
10-Nov-2021 01:48:53.857 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded Apache Tomcat Native library [1.2.31] using APR version [1.7.0].
10-Nov-2021 01:48:53.857 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true], UDS [{4}].
10-Nov-2021 01:48:53.858 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true]
10-Nov-2021 01:48:53.867 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 1.1.1k  25 Mar 2021]
10-Nov-2021 01:48:54.039 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-8080"]
10-Nov-2021 01:48:54.070 INFO [main] org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a shared selector for servlet write/read
10-Nov-2021 01:48:54.114 INFO [main] org.apache.catalina.startup.Catalina.load Initialization processed in 1296 ms
10-Nov-2021 01:48:54.198 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting service [Catalina]
10-Nov-2021 01:48:54.199 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet engine: [Apache Tomcat/8.5.71]
10-Nov-2021 01:48:54.232 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [/usr/local/tomcat/webapps/ROOT]
10-Nov-2021 01:49:03.295 INFO [localhost-startStop-1] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
INFO  [org.gbif.ipt.config.IPTModule] - Using environment variable IPT_DATA_DIR for data directory location: /srv/ipt
INFO  [org.gbif.ipt.config.DataDir] - IPT Data Directory configured at /srv/ipt
DEBUG [org.gbif.ipt.config.DataDir] - Cleared temporary folder
DEBUG [org.gbif.ipt.config.AppConfig] - Loaded default configuration from application.properties in classpath
DEBUG [org.gbif.ipt.config.AppConfig] - Loaded user configuration from /srv/ipt/config/ipt.properties
INFO  [org.gbif.ipt.config.AppConfig] - Reading registry lock file to determine if the DataDir is locked to a registry yet.
INFO  [org.gbif.ipt.config.AppConfig] - DataDir is locked to registry type: PRODUCTION
INFO  [org.gbif.ipt.config.IPTContextListener] - SessionCookieConfig: httpOnly=true; secure=true
10-Nov-2021 01:49:05.903 INFO [localhost-startStop-1] com.google.inject.struts2.Struts2Factory.createInjector Loading struts2 Guice support...
10-Nov-2021 01:49:05.911 INFO [localhost-startStop-1] com.google.inject.struts2.Struts2Factory.createInjector Injector created successfully.
DEBUG [org.gbif.ipt.config.IPTModule] - Loaded default configuration from application.properties in classpath
DEBUG [org.gbif.ipt.config.IPTModule] - Loaded supported jdbc driver information from jdbc.properties
INFO  [org.gbif.ipt.config.ConfigManagerImpl] - IPT DataDir configured - loading its configuration
INFO  [org.gbif.ipt.config.ConfigManagerImpl] - Reading DATA DIRECTORY: /srv/ipt
INFO  [org.gbif.ipt.config.ConfigManagerImpl] - Loading IPT config ...
DEBUG [org.gbif.ipt.config.AppConfig] - Loaded default configuration from application.properties in classpath
DEBUG [org.gbif.ipt.config.AppConfig] - Loaded user configuration from /srv/ipt/config/ipt.properties
INFO  [org.gbif.ipt.config.AppConfig] - Reading registry lock file to determine if the DataDir is locked to a registry yet.
INFO  [org.gbif.ipt.config.AppConfig] - DataDir is locked to registry type: PRODUCTION
INFO  [org.gbif.ipt.config.ConfigManagerImpl] - Reloading log4j settings ...
INFO  [org.gbif.ipt.config.ConfigManagerImpl] - Changing logging directory to /srv/ipt/logs/
Security framework of XStream not initialized, XStream is probably vulnerable.
Security framework of XStream not initialized, XStream is probably vulnerable.
Security framework of XStream not initialized, XStream is probably vulnerable.
10-Nov-2021 01:49:13.644 INFO [localhost-startStop-1] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [/usr/local/tomcat/webapps/ROOT] has finished in [19,412] ms
10-Nov-2021 01:49:13.653 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8080"]
10-Nov-2021 01:49:13.674 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 19559 ms

Not sure how this affects the application

[mike-podolskiy90]

Thank you for contacting us @ainsofs That's just an outdated version of the xstream library, we're working on updating this. It doesn't affect the IPT functionality though.