[OPNFLWPLUG-1121] Log4J Bug Created: 20/Dec/21 Updated: 18/Nov/22 Resolved: 18/Nov/22 |
|
| Status: | Resolved |
| Project: | OpenFlowPlugin |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | Silicon, Phosphorus |
| Type: | Bug | Priority: | High |
| Reporter: | Eric Sender | Assignee: | Sangwook Ha |
| Resolution: | Done | Votes: | 1 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Description |
|
A new set of vulnerabilities has been found for Log4J: https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance
I wanted to bring attention to this and the fact that many versions of ODL will need to be updated to ensure there is no more use of Log4J v1 and that Log4J 2 is updated to at least 2.17.0.
I ran a scan (https://github.com/rubo77/log4j_checker_beta) for fingerprints of Log4J in 0.11.4 and found the following:
[WARNING] contains log4j files: /opt/opendaylight/system/commons-logging/commons-logging/1.2/commons-logging-1.2.jar [WARNING] contains log4j files: /opt/opendaylight/system/io/netty/netty/3.10.6.Final/netty-3.10.6.Final.jar [WARNING] contains log4j files: /opt/opendaylight/system/io/netty/netty-common/4.1.51.Final/netty-common-4.1.51.Final.jar [WARNING] contains log4j files: /opt/opendaylight/system/org/apache/activemq/activemq-osgi/5.15.3/activemq-osgi-5.15.3.jar [WARNING] contains log4j files: /opt/opendaylight/system/org/apache/karaf/log/org.apache.karaf.log.core/4.2.6/org.apache.karaf.log.core-4.2.6.jar [WARNING] contains log4j files: /opt/opendaylight/system/org/apache/openjpa/openjpa/3.0.0/openjpa-3.0.0.jar [WARNING] contains log4j files: /opt/opendaylight/system/org/apache/servicemix/bundles/org.apache.servicemix.bundles.c3p0/0.9.5.2_1/org.apache.servicemix.bundles.c3p0-0.9.5.2_1.jar [WARNING] contains log4j files: /opt/opendaylight/system/org/apache/xbean/xbean-reflect/4.12/xbean-reflect-4.12.jar [WARNING] contains log4j files: /opt/opendaylight/system/org/codehaus/groovy/groovy-all/2.4.12/groovy-all-2.4.12.jar [WARNING] contains log4j files: /opt/opendaylight/system/org/jboss/logging/jboss-logging/3.3.2.Final/jboss-logging-3.3.2.Final.jar [WARNING] contains log4j files: /opt/opendaylight/system/org/ops4j/pax/logging/pax-logging-api/1.10.1/pax-logging-api-1.10.1.jar [WARNING] contains log4j files: /opt/opendaylight/system/org/ops4j/pax/logging/pax-logging-log4j2/1.10.1/pax-logging-log4j2-1.10.1.jar [WARNING] vulnerable binary classes in: /opt/opendaylight/system/org/ops4j/pax/logging/pax-logging-log4j2/1.10.1/pax-logging-log4j2-1.10.1.jar [WARNING] contains log4j files: /opt/opendaylight/system/org/ops4j/pax/logging/pax-logging-logback/1.10.1/pax-logging-logback-1.10.1.jar [WARNING] contains log4j files: /opt/opendaylight/system/org/ops4j/pax/transx/pax-transx-tm-atomikos/0.4.2/pax-transx-tm-atomikos-0.4.2.jar [WARNING] contains log4j files: /opt/opendaylight/system/org/ops4j/pax/transx/pax-transx-tm-atomikos/0.4.3/pax-transx-tm-atomikos-0.4.3.jar The solution Involves the dependencies themselves getting updated and then Sodium (and the rest of the ODL versions) updating its POM's to point to the updated versions.
Update: Looking closer at the output, most of the warnings are about seeing files in the JAR that contain the token 'log4j' however there is one Jar that contains a vulnerable binary class: [WARNING] vulnerable binary classes in: /opt/opendaylight/system/org/ops4j/pax/logging/pax-logging-log4j2/1.10.1/pax-logging-log4j2-1.10.1.jar For reference: https://mvnrepository.com/artifact/org.ops4j.pax.logging/pax-logging-log4j2/1.10.1 The most updated version of pax-logging does not have vulnerabilities listed: https://mvnrepository.com/artifact/org.ops4j.pax.logging/pax-logging-log4j2/2.0.13 It may be that the solution is to seek |
| Comments |
| Comment by Rohini Ambika [ 11/Jan/22 ] |
|
Is there any ETA on when this issue will be fixed? |
| Comment by Eric Sender [ 11/Jan/22 ] |
|
For now, my team plans to use this tool to help edit the corrupted jar: https://github.com/google/log4jscanner |
| Comment by Rohini Ambika [ 12/Jan/22 ] |
|
Arunprakash Can you let us know when this issue will be fixed and upstream to git? |
| Comment by Rohini Ambika [ 12/Jan/22 ] |
|
Ok. I have used this scanner to detect the vulnerable log4j versions in ODL. ODL is still using older versions of log4j(1.2.x) which has been EOL for 7 years and has several known-vulnerabilities. |
| Comment by Sangwook Ha [ 18/Jan/22 ] |
|
Log4j vulnerabilities will be remediated for Silicon, Phosphorus & Sulfur (Log4Shell impacts on ODL releases):
Release schedule odlparent releases addressing Log4j issues: |
| Comment by Eric Sender [ 18/Jan/22 ] |
|
Will there be a hotfix update for the other versions, such as Sodium? If not, I suppose we can just package our own hotfix version of sodium with the cleaned out JAR file, but I think it would be more thorough if the fix came internally from Opendaylight |
| Comment by Rohini Ambika [ 18/Jan/22 ] |
|
Thanks sangwookha for the update. Any tentative date planned for SR4 of Silicon? |
| Comment by Sangwook Ha [ 18/Jan/22 ] |
|
Older versions before Silicon are not supported any more, so there won't be a fix for the versions. |
| Comment by Sangwook Ha [ 18/Jan/22 ] |
|
I believe the plan will be discussed at the upcoming TSC meeting on Thursday. |
| Comment by Rohini Ambika [ 19/Jan/22 ] |
|
Please update us on the plan because we are working on a ODL project and we need to have this fixed before the go live. |
| Comment by Eric Sender [ 19/Jan/22 ] |
|
Our plan is to run this script after ODL is installed. It swaps out the infected JARs/.class files:
https://github.com/google/log4jscanner
Since I am on Sodium and update plans are not on the table at this point, this solution is working for us. |
| Comment by Rohini Ambika [ 20/Jan/22 ] |
|
If it swaps out the infected JARs, will all the related functionalities work? Also will this solution work for docker image |
| Comment by Sangwook Ha [ 21/Jan/22 ] |
|
Here is release plan for Silicon SR4: https://wiki.opendaylight.org/display/ODL/Silicon+SR4+Release+Checklist Release of official distribution is planned for Feb 2.
|
| Comment by Rohini Ambika [ 21/Jan/22 ] |
|
Thanks for the update. |
| Comment by Rohini Ambika [ 28/Jan/22 ] |
|
sangwookha Does this fix includes upgrade of 1.2.x log4j versions used in the project? |
| Comment by Sangwook Ha [ 28/Jan/22 ] |
|
I don't think 1.2.x is used for Silicon or later versions - e.g. Silicon SR3 includes pax-logging-log4j2 v2.0.10 and its dependency log4j 2.14.1. And there is dependency enforcement that requires at least v2.16.0 for log4j: https://git.opendaylight.org/gerrit/c/odlparent/+/99072 |
| Comment by Rohini Ambika [ 31/Jan/22 ] |
|
I ran an internal scan to detect the log4j vulnerable versions used in Silicon and it shows the below: integration-distribution/karaf/target/assembly/system/org/ops4j/pax/logging/pax-logging-api/2.0.14/pax-logging-api-2.0.14.jar contains Log4J-1.x(1.2.17)
|
| Comment by Sangwook Ha [ 31/Jan/22 ] |
|
Not sure what it is detecting but I don't think ODL includes Log4j v1.x. pax-logging-api does support Log4j v1.x API but it does not include Log4j 1.x implementation - it's a provided dependency: https://mvnrepository.com/artifact/org.ops4j.pax.logging/pax-logging-api/2.0.14. ODL has the following 3 pax-logging JAR files included:
but not pax-logging-log4j1. |
| Comment by Rohini Ambika [ 31/Jan/22 ] |
|
OK. Thanks for the this. One more query for fixing the log4j issue, are we upgrading the karaf runtime version . Could you please detail the changes in the fix? |
| Comment by Sangwook Ha [ 31/Jan/22 ] |
|
I don't have the full list of changes but Karaf will be upgraded to 4.3.6 (odlparent is upgraded from 8.1.4 in Silicon SR3 to 8.1.9 in Silicon SR4). More details will be updated in Silicon Release Notes. |
| Comment by Rohini Ambika [ 01/Feb/22 ] |
|
Thanks for the update. Will wait for the release notes then |
| Comment by Rohini Ambika [ 01/Feb/22 ] |
|
sangwookha As per the release checklist , unlock stable version has been completed. Shall we take a fresh clone from ODL GitHub https://github.com/opendaylight/integration-distribution/tree/stable/silicon for our dev activity. Please confirm if the latest changes are committed to Silicon version |
| Comment by Sangwook Ha [ 01/Feb/22 ] |
|
Yes, Silicon SR4 version bump has been completed, except for self-managed projects (i.e. TransportPCE): https://lists.opendaylight.org/g/TSC/message/14049 |
| Comment by Sangwook Ha [ 08/Feb/22 ] |
|
Silicon SR4 has been officially released: https://docs.opendaylight.org/en/stable-silicon/downloads.html |
| Comment by Rohini Ambika [ 15/Feb/22 ] |
|
Thanks sangwookha . Can you update on the latest status of phosphorous SR2 release? Is it up to date to take a clone from https://github.com/opendaylight/integration-distribution/tree/stable/phosphorus/ |
| Comment by Sangwook Ha [ 15/Feb/22 ] |
|
It's not been approved/released yet but pretty close - the managed projects probably will be released within a few days. |
| Comment by Rohini Ambika [ 28/Feb/22 ] |
|
Hi sangwookha , Is the phosphorous SR2 distribution available now? If not, can you please tell us the dat of release. As per the release notes , it was on 24th Feb |
| Comment by Sangwook Ha [ 28/Feb/22 ] |
|
Phosphorus SR2 distribution is available now: I believe most of the Phosphorus SR2 release process has been completed other than some documentation update. |
| Comment by Rohini Ambika [ 02/Mar/22 ] |
|
Thanks for the update. |