https://jira.opendaylight.org This file is an XML representation of an issue en-us 8.20.10 820010 22-06-2022 https://jira.opendaylight.org/browse/OPNFLWPLUG-1121 OpenFlowPlugin <p>A new set of vulnerabilities has been found for Log4J:</p> <p><a href="https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance" class="external-link" target="_blank" rel="nofollow noopener">https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance</a></p> <p> </p> <p>I wanted to bring attention to this and the fact that many versions of ODL will need to be updated to ensure there is no more use of Log4J v1 and that Log4J 2 is updated to at least 2.17.0.</p> <p> </p> <p>I ran a scan (<a href="https://github.com/rubo77/log4j_checker_beta" class="external-link" target="_blank" rel="nofollow noopener">https://github.com/rubo77/log4j_checker_beta</a>) for fingerprints of Log4J in 0.11.4 and found the following:</p> <p> </p> <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> <pre class="code-java"> [WARNING] contains log4j files: /opt/opendaylight/system/commons-logging/commons-logging/1.2/commons-logging-1.2.jar [WARNING] contains log4j files: /opt/opendaylight/system/io/netty/netty/3.10.6.Final/netty-3.10.6.Final.jar [WARNING] contains log4j files: /opt/opendaylight/system/io/netty/netty-common/4.1.51.Final/netty-common-4.1.51.Final.jar [WARNING] contains log4j files: /opt/opendaylight/system/org/apache/activemq/activemq-osgi/5.15.3/activemq-osgi-5.15.3.jar [WARNING] contains log4j files: /opt/opendaylight/system/org/apache/karaf/log/org.apache.karaf.log.core/4.2.6/org.apache.karaf.log.core-4.2.6.jar [WARNING] contains log4j files: /opt/opendaylight/system/org/apache/openjpa/openjpa/3.0.0/openjpa-3.0.0.jar [WARNING] contains log4j files: /opt/opendaylight/system/org/apache/servicemix/bundles/org.apache.servicemix.bundles.c3p0/0.9.5.2_1/org.apache.servicemix.bundles.c3p0-0.9.5.2_1.jar [WARNING] contains log4j files: /opt/opendaylight/system/org/apache/xbean/xbean-reflect/4.12/xbean-reflect-4.12.jar [WARNING] contains log4j files: /opt/opendaylight/system/org/codehaus/groovy/groovy-all/2.4.12/groovy-all-2.4.12.jar [WARNING] contains log4j files: /opt/opendaylight/system/org/jboss/logging/jboss-logging/3.3.2.Final/jboss-logging-3.3.2.Final.jar [WARNING] contains log4j files: /opt/opendaylight/system/org/ops4j/pax/logging/pax-logging-api/1.10.1/pax-logging-api-1.10.1.jar [WARNING] contains log4j files: /opt/opendaylight/system/org/ops4j/pax/logging/pax-logging-log4j2/1.10.1/pax-logging-log4j2-1.10.1.jar [WARNING] vulnerable binary classes in: /opt/opendaylight/system/org/ops4j/pax/logging/pax-logging-log4j2/1.10.1/pax-logging-log4j2-1.10.1.jar [WARNING] contains log4j files: /opt/opendaylight/system/org/ops4j/pax/logging/pax-logging-logback/1.10.1/pax-logging-logback-1.10.1.jar [WARNING] contains log4j files: /opt/opendaylight/system/org/ops4j/pax/transx/pax-transx-tm-atomikos/0.4.2/pax-transx-tm-atomikos-0.4.2.jar [WARNING] contains log4j files: /opt/opendaylight/system/org/ops4j/pax/transx/pax-transx-tm-atomikos/0.4.3/pax-transx-tm-atomikos-0.4.3.jar </pre> </div></div> <p>The solution Involves the dependencies themselves getting updated and then Sodium (and the rest of the ODL versions) updating its POM's to point to the updated versions.</p> <p> </p> <p>Update:</p> <p>Looking closer at the output, most of the warnings are about seeing files in the JAR that contain the token 'log4j' however there is one Jar that contains a vulnerable binary class:</p> <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent"> <pre class="code-java"> [WARNING] vulnerable binary classes in: /opt/opendaylight/system/org/ops4j/pax/logging/pax-logging-log4j2/1.10.1/pax-logging-log4j2-1.10.1.jar</pre> </div></div> <p>For reference: <a href="https://mvnrepository.com/artifact/org.ops4j.pax.logging/pax-logging-log4j2/1.10.1" class="external-link" target="_blank" rel="nofollow noopener">https://mvnrepository.com/artifact/org.ops4j.pax.logging/pax-logging-log4j2/1.10.1</a></p> <p>The most updated version of pax-logging does not have vulnerabilities listed: <a href="https://mvnrepository.com/artifact/org.ops4j.pax.logging/pax-logging-log4j2/2.0.13" class="external-link" target="_blank" rel="nofollow noopener">https://mvnrepository.com/artifact/org.ops4j.pax.logging/pax-logging-log4j2/2.0.13</a> </p> <p>It may be that the solution is to seek </p> OPNFLWPLUG-1121

Log4J Bug

Bug High Resolved Done Sangwook Ha Eric Sender Mon, 20 Dec 2021 21:48:09 +0000 Fri, 18 Nov 2022 06:29:42 +0000 Fri, 18 Nov 2022 06:29:42 +0000 Silicon Phosphorus 1 3 <p>Is there any ETA on when this issue will be fixed?</p> <p>For now, my team plans to use this tool to help edit the corrupted jar: <a href="https://github.com/google/log4jscanner" class="external-link" target="_blank" rel="nofollow noopener">https://github.com/google/log4jscanner</a></p> <p><a href="https://jira.opendaylight.org/secure/ViewProfile.jspa?name=Arunprakash" class="user-hover" rel="Arunprakash">Arunprakash</a> Can you let us know when this issue will be fixed and upstream to git?</p> <p>Ok. I have used this scanner to detect the vulnerable log4j versions in ODL. ODL is still using older versions of log4j(1.2.x) which has been EOL for 7 years and has several known-vulnerabilities.</p> <p> <a href="https://github.com/mergebase/log4j-detector" class="external-link" target="_blank" rel="nofollow noopener">https://github.com/mergebase/log4j-detector</a></p> <p>Log4j vulnerabilities will be remediated for Silicon, Phosphorus &amp; Sulfur (<a href="https://lists.opendaylight.org/g/release/message/20211" class="external-link" target="_blank" rel="nofollow noopener">Log4Shell impacts on ODL releases</a>):</p> <ul> <li>Silicon: originally unscheduled service release (SR4) in the near future</li> <li>Phosphorus: upcoming SR2 (planned for end of January)</li> <li>Sulfur: formal release is planned for mid March</li> </ul> <p>Release schedule</p> <ul> <li><a href="https://wiki.opendaylight.org/display/ODL/Release+Schedule+for+Silicon" class="external-link" target="_blank" rel="nofollow noopener">Release Schedule for Silicon</a></li> <li><a href="https://wiki.opendaylight.org/display/ODL/Release+Schedule+for+Phosphorus" class="external-link" target="_blank" rel="nofollow noopener">Release Schedule for Phosphorus</a></li> <li><a href="https://wiki.opendaylight.org/display/ODL/Release+Schedule+for+Sulfur" class="external-link" target="_blank" rel="nofollow noopener">Release Schedule for Sulfur</a></li> </ul> <p>odlparent releases addressing Log4j issues:</p> <ul> <li><a href="https://github.com/opendaylight/odlparent/blob/8.1.x/docs/NEWS.rst#version-816" class="external-link" target="_blank" rel="nofollow noopener">8.1.6</a></li> <li><a href="https://github.com/opendaylight/odlparent/blob/9.0.x/docs/NEWS.rst#version-9010" class="external-link" target="_blank" rel="nofollow noopener">9.0.10</a></li> </ul> <p>Will there be a hotfix update for the other versions, such as Sodium? If not, I suppose we can just package our own hotfix version of sodium with the cleaned out JAR file, but I think it would be more thorough if the fix came internally from Opendaylight </p> <p>Thanks <a href="https://jira.opendaylight.org/secure/ViewProfile.jspa?name=sangwookha" class="user-hover" rel="sangwookha">sangwookha</a> for the update.</p> <p>Any tentative date planned for SR4 of Silicon?</p> <p>Older versions before Silicon are not supported any more, so there won't be a fix for the versions.</p> <p>I believe the plan will be discussed at the upcoming TSC meeting on Thursday.</p> <p>Please update us on the plan because we are working on a ODL project and we need to have this fixed before the go live.</p> <p>Our plan is to run this script after ODL is installed. It swaps out the infected JARs/.class files:</p> <p> </p> <p><a href="https://github.com/google/log4jscanner" class="external-link" target="_blank" rel="nofollow noopener">https://github.com/google/log4jscanner</a></p> <p> </p> <p>Since I am on Sodium and update plans are not on the table at this point, this solution is working for us. </p> <p>If it swaps out the infected JARs, will all the related functionalities work? Also will this solution work for docker image</p> <p>Here is release plan for Silicon SR4: <a href="https://wiki.opendaylight.org/display/ODL/Silicon+SR4+Release+Checklist" class="external-link" target="_blank" rel="nofollow noopener">https://wiki.opendaylight.org/display/ODL/Silicon+SR4+Release+Checklist</a></p> <p>Release of official distribution is planned for Feb 2.</p> <p> </p> <p>Thanks for the update.</p> <p><a href="https://jira.opendaylight.org/secure/ViewProfile.jspa?name=sangwookha" class="user-hover" rel="sangwookha">sangwookha</a>  Does this fix includes upgrade of 1.2.x log4j versions used in the project?</p> <p>I don't think 1.2.x is used for Silicon or later versions - e.g. Silicon SR3 includes pax-logging-log4j2 v2.0.10 and its dependency log4j 2.14.1.</p> <p>And there is dependency enforcement that requires at least v2.16.0 for log4j: <a href="https://git.opendaylight.org/gerrit/c/odlparent/+/99072" class="external-link" target="_blank" rel="nofollow noopener">https://git.opendaylight.org/gerrit/c/odlparent/+/99072</a></p> <p>I ran an internal scan to detect the log4j vulnerable versions used in Silicon and it shows the below:</p> <p><b>integration-distribution/karaf/target/assembly/system/org/ops4j/pax/logging/pax-logging-api/2.0.14/pax-logging-api-2.0.14.jar contains Log4J-1.x(1.2.17)</b></p> <p> </p> <p>Not sure what it is detecting but I don't think ODL includes Log4j v1.x.</p> <p>pax-logging-api does support Log4j v1.x API but it does not include Log4j 1.x implementation - it's a provided dependency: <a href="https://mvnrepository.com/artifact/org.ops4j.pax.logging/pax-logging-api/2.0.14." class="external-link" target="_blank" rel="nofollow noopener">https://mvnrepository.com/artifact/org.ops4j.pax.logging/pax-logging-api/2.0.14.</a></p> <p>ODL has the following 3 pax-logging JAR files included:</p> <ul> <li>pax-logging-api</li> <li>pax-logging-log4j2</li> <li>pax-logging-logback</li> </ul> <p>but not pax-logging-log4j1.</p> <p>OK. Thanks for the this. One more query for fixing the log4j issue, are we upgrading the karaf runtime version . Could you please detail the changes in the fix?</p> <p>I don't have the full list of changes but Karaf will be upgraded to 4.3.6 (odlparent is upgraded from 8.1.4 in Silicon SR3 to <a href="https://github.com/opendaylight/odlparent/blob/8.1.x/docs/NEWS.rst#version-819" class="external-link" target="_blank" rel="nofollow noopener">8.1.9</a> in Silicon SR4). More details will be updated in <a href="https://docs.opendaylight.org/en/stable-silicon/release-notes/index.html" class="external-link" target="_blank" rel="nofollow noopener">Silicon Release Notes</a>.</p> <p>Thanks for the update. Will wait for the release notes then</p> <p><a href="https://jira.opendaylight.org/secure/ViewProfile.jspa?name=sangwookha" class="user-hover" rel="sangwookha">sangwookha</a>  As per the release checklist , unlock stable version has been completed. Shall we take a fresh clone from ODL GitHub <a href="https://github.com/opendaylight/integration-distribution/tree/stable/silicon" class="external-link" target="_blank" rel="nofollow noopener">https://github.com/opendaylight/integration-distribution/tree/stable/silicon</a> for our  dev activity. Please confirm if the latest changes are committed to Silicon version</p> <p>Yes, Silicon SR4 version bump has been completed, except for self-managed projects (i.e. TransportPCE): <a href="https://lists.opendaylight.org/g/TSC/message/14049" class="external-link" target="_blank" rel="nofollow noopener">https://lists.opendaylight.org/g/TSC/message/14049</a></p> <p>Silicon SR4 has been officially released: <a href="https://docs.opendaylight.org/en/stable-silicon/downloads.html" class="external-link" target="_blank" rel="nofollow noopener">https://docs.opendaylight.org/en/stable-silicon/downloads.html</a></p> <p>Thanks <a href="https://jira.opendaylight.org/secure/ViewProfile.jspa?name=sangwookha" class="user-hover" rel="sangwookha">sangwookha</a> . Can you update on the latest status of phosphorous SR2 release? Is it up to date to take a clone from <a href="https://github.com/opendaylight/integration-distribution/tree/stable/phosphorus/" class="external-link" target="_blank" rel="nofollow noopener">https://github.com/opendaylight/integration-distribution/tree/stable/phosphorus/</a> </p> <p>It's not been approved/released yet but pretty close - the managed projects probably will be released within a few days.</p> <p>Hi <a href="https://jira.opendaylight.org/secure/ViewProfile.jspa?name=sangwookha" class="user-hover" rel="sangwookha">sangwookha</a> , Is the phosphorous SR2 distribution available now? If not, can you please tell us the dat of release. As per the release notes , it was on 24th Feb</p> <p>Phosphorus SR2 distribution is available now:<br/> <a href="https://nexus.opendaylight.org/content/repositories/opendaylight.release/org/opendaylight/integration/opendaylight/15.2.0/" class="external-link" target="_blank" rel="nofollow noopener">https://nexus.opendaylight.org/content/repositories/opendaylight.release/org/opendaylight/integration/opendaylight/15.2.0/</a></p> <p>I believe most of the Phosphorus SR2 release process has been completed other than some documentation update.</p> <p>Thanks for the update.</p> Development Rank 0|i0414v: