Thanks for the reassurance Michael. On Sat, Dec 11, 2021 at 09:16 Michael Vorburger <[email protected]> wrote:
> Independently confirming this - relax everyone! (As in, you can relax for > Fineract. Don't relax for anything else you are responsible for - do check > any other code you have, this security vulnerability is as bad they can > get; the Internet is rightfully on fire about this.) > > https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot > (which I found while working on > https://github.com/vorburger/MariaDB4j/issues/509) has some related > background; TL;DR: *"The log4j-to-slf4j and log4j-api jars that we > include in spring-boot-starter-logging cannot be exploited on their own. > Only applications using log4j-core and including user input in log messages > are vulnerable."* > > Or, more technically: > > $ ./gradlew fineract-provider:dependencies | grep log4j > | | | +--- org.apache.logging.log4j:log4j-to-slf4j:2.14.1 > | | | | \--- org.apache.logging.log4j:log4j-api:2.14.1 > | | | +--- org.apache.logging.log4j:log4j-to-slf4j:2.14.1 > | | | | \--- org.apache.logging.log4j:log4j-api:2.14.1 > | | | +--- org.apache.logging.log4j:log4j-to-slf4j:2.14.1 > | | | | \--- org.apache.logging.log4j:log4j-api:2.14.1 > | | | +--- org.apache.logging.log4j:log4j-to-slf4j:2.14.1 > | | | | \--- org.apache.logging.log4j:log4j-api:2.14.1 > | | | +--- org.apache.logging.log4j:log4j-to-slf4j:2.14.1 > | | | | \--- org.apache.logging.log4j:log4j-api:2.14.1 > | | | +--- org.apache.logging.log4j:log4j-to-slf4j:2.14.1 > | | | | \--- org.apache.logging.log4j:log4j-api:2.14.1 > > $ ./gradlew fineract-provider:dependencies | grep log4j-core > (nothing) > > Hope this helps everyone to sleep well... ;-) > > > On Sat, Dec 11, 2021 at 10:28 AM AirsayLongCon <[email protected]> > wrote: > >> Hello Aleks >> Thank you for the clarification >> >> On Sat, Dec 11, 2021, 10:17 AM Aleksandar Vidakovic < >> [email protected]> wrote: >> >>> Hi, >>> >>> ... we are using SLF4J to abstract all the different logging frameworks >>> (Commons Logging, Log4J etc.). Under the hood logging in Fineract is done >>> by Logback and not Log4j. The only Log4j dependencies we have are those >>> that "redirect" the logging to Logback. >>> >>> Here's also a vulnerability report for that specific dependency >>> ("org.apache.logging.log4j:log4j-to-slf4j"): >>> >>> https://snyk.io/vuln/maven:org.apache.logging.log4j:log4j-to-slf4j >>> >>> FYI >>> >>> Cheers, >>> >>> Aleks >>> >>> On Sat, Dec 11, 2021 at 2:10 AM AirsayLongCon <[email protected]> >>> wrote: >>> >>>> Hello community, >>>> Are we are of the RCE reportedly affecting log4j >>>> >>>> If your organization uses the log4j library, you should upgrade >>>> to log4j-2.1.50.rc2 immediately. >>>> >>>> >>>> https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java >>>> >>>
