Closed theronic closed 2 years ago
@theronic Hi Petrus, thanks for bringing this to my attention.
Based on my understanding of your linked CVE page: you should be safe so long as you have no dependency on Log4j.
java.util.Formatter
.The main concern is if both of the following are true:
lein deps :tree
or similar. If you see no log4j
dependency, you should be safe.log4j
dependency, then you'll may need to follow one or more of the mitigation suggestions on the CVE page, for example:
Hope that's helpful.
It seems, it is not as easy as that. Check this as well
jar tf uberjar.jar | grep log4j
It might be included there without being listed elsewhere.
and lein deps :tree 2>&1 | grep log4j
or lein deps :tree 2>&1 | grep <your lib you suspect of having a vulnerable log4j as a dependency
.
@KaliszAd Hi Adam, thanks for the assistance! 🙏
I wasn't aware that a Clojure Uberjar can contain dependencies not listed by lein deps :tree
. Can you provide an example of how that could happen, or a source with more info? Would be interested in understanding this better.
Cheers
@ptaoussanis There was a discussion around that on Clojurians I have seen. Here is a link https://clojurians.slack.com/archives/C03RZGPG3/p1639355694394000?thread_ts=1639213808.334100&cid=C03RZGPG3
It seems, profiles can alter what you get without lein deps :tree
showing it. Or presumably a dependency can just include a jar. https://clojurians.slack.com/archives/C03RZGPG3/p1639355754395300
I'm not a member of the linked Slack group, so can't comment on the discussion there. But in any case, would agree that it doesn't hurt to be extra cautious and [/also] check the jar directly 👍
If I'm using Timbre "out of the box", do I need to be concerned about CVE-2021-44228?