-
Bug
-
Resolution: Done
-
High
-
None
-
None
-
None
A new set of vulnerabilities has been found for Log4J:
https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance
I wanted to bring attention to this and the fact that many versions of ODL will need to be updated to ensure there is no more use of Log4J v1 and that Log4J 2 is updated to at least 2.17.0.
I ran a scan (https://github.com/rubo77/log4j_checker_beta) for fingerprints of Log4J in 0.11.4 and found the following:
[WARNING] contains log4j files: /opt/opendaylight/system/commons-logging/commons-logging/1.2/commons-logging-1.2.jar [WARNING] contains log4j files: /opt/opendaylight/system/io/netty/netty/3.10.6.Final/netty-3.10.6.Final.jar [WARNING] contains log4j files: /opt/opendaylight/system/io/netty/netty-common/4.1.51.Final/netty-common-4.1.51.Final.jar [WARNING] contains log4j files: /opt/opendaylight/system/org/apache/activemq/activemq-osgi/5.15.3/activemq-osgi-5.15.3.jar [WARNING] contains log4j files: /opt/opendaylight/system/org/apache/karaf/log/org.apache.karaf.log.core/4.2.6/org.apache.karaf.log.core-4.2.6.jar [WARNING] contains log4j files: /opt/opendaylight/system/org/apache/openjpa/openjpa/3.0.0/openjpa-3.0.0.jar [WARNING] contains log4j files: /opt/opendaylight/system/org/apache/servicemix/bundles/org.apache.servicemix.bundles.c3p0/0.9.5.2_1/org.apache.servicemix.bundles.c3p0-0.9.5.2_1.jar [WARNING] contains log4j files: /opt/opendaylight/system/org/apache/xbean/xbean-reflect/4.12/xbean-reflect-4.12.jar [WARNING] contains log4j files: /opt/opendaylight/system/org/codehaus/groovy/groovy-all/2.4.12/groovy-all-2.4.12.jar [WARNING] contains log4j files: /opt/opendaylight/system/org/jboss/logging/jboss-logging/3.3.2.Final/jboss-logging-3.3.2.Final.jar [WARNING] contains log4j files: /opt/opendaylight/system/org/ops4j/pax/logging/pax-logging-api/1.10.1/pax-logging-api-1.10.1.jar [WARNING] contains log4j files: /opt/opendaylight/system/org/ops4j/pax/logging/pax-logging-log4j2/1.10.1/pax-logging-log4j2-1.10.1.jar [WARNING] vulnerable binary classes in: /opt/opendaylight/system/org/ops4j/pax/logging/pax-logging-log4j2/1.10.1/pax-logging-log4j2-1.10.1.jar [WARNING] contains log4j files: /opt/opendaylight/system/org/ops4j/pax/logging/pax-logging-logback/1.10.1/pax-logging-logback-1.10.1.jar [WARNING] contains log4j files: /opt/opendaylight/system/org/ops4j/pax/transx/pax-transx-tm-atomikos/0.4.2/pax-transx-tm-atomikos-0.4.2.jar [WARNING] contains log4j files: /opt/opendaylight/system/org/ops4j/pax/transx/pax-transx-tm-atomikos/0.4.3/pax-transx-tm-atomikos-0.4.3.jar
The solution Involves the dependencies themselves getting updated and then Sodium (and the rest of the ODL versions) updating its POM's to point to the updated versions.
Update:
Looking closer at the output, most of the warnings are about seeing files in the JAR that contain the token 'log4j' however there is one Jar that contains a vulnerable binary class:
[WARNING] vulnerable binary classes in: /opt/opendaylight/system/org/ops4j/pax/logging/pax-logging-log4j2/1.10.1/pax-logging-log4j2-1.10.1.jar
For reference: https://mvnrepository.com/artifact/org.ops4j.pax.logging/pax-logging-log4j2/1.10.1
The most updated version of pax-logging does not have vulnerabilities listed: https://mvnrepository.com/artifact/org.ops4j.pax.logging/pax-logging-log4j2/2.0.13
It may be that the solution is to seek