Question regarding Log4J

irods-contrib / metalnx-web

Metalnx Web Application

https://metalnx.github.io/

BSD 3-Clause "New" or "Revised" License

36 stars 36 forks source link

Question regarding Log4J #358

Closed kalylian closed 3 months ago

kalylian commented 3 months ago

Hi,

I have a short question regarding Log4J and Log4Shell. Metalnx seems to be using Log4J 1.2, which is vulnerable for Log4Shell when configured to use JMSAppender:

https://nvd.nist.gov/vuln/detail/CVE-2021-4104

I found #296 , which states the Log4J version but doesn't specify whether JMSAppender is activated.

Can you please confirm whether or not Metalnx is affected?

Kind regards,

Kaly

trel commented 3 months ago

JMSAppender is configured via log4j.properties... https://knowledge.broadcom.com/external/article/231043/cve20214104-log4j-1x-vulnerability-remed.html

JMSAppender is not configured/present in this repository:

~/repos/metalnx-web $ grep -rI "log4j.appender.jms" .
~/repos/metalnx-web $

Metalnx is not affected.