Thank you Airsay for raising this to the community and their Aleks and Michael for clarifying in the exposure and impact for the Fineract community.
Ed On Sun, Dec 12, 2021, 08:12 Isaac Kamga <[email protected]> wrote: > Thanks for the reassurance Michael. > > On Sat, Dec 11, 2021 at 09:16 Michael Vorburger <[email protected]> wrote: > >> Independently confirming this - relax everyone! (As in, you can relax for >> Fineract. Don't relax for anything else you are responsible for - do check >> any other code you have, this security vulnerability is as bad they can >> get; the Internet is rightfully on fire about this.) >> >> https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot >> (which I found while working on >> https://github.com/vorburger/MariaDB4j/issues/509) has some related >> background; TL;DR: *"The log4j-to-slf4j and log4j-api jars that we >> include in spring-boot-starter-logging cannot be exploited on their own. >> Only applications using log4j-core and including user input in log messages >> are vulnerable."* >> >> Or, more technically: >> >> $ ./gradlew fineract-provider:dependencies | grep log4j >> | | | +--- org.apache.logging.log4j:log4j-to-slf4j:2.14.1 >> | | | | \--- org.apache.logging.log4j:log4j-api:2.14.1 >> | | | +--- org.apache.logging.log4j:log4j-to-slf4j:2.14.1 >> | | | | \--- org.apache.logging.log4j:log4j-api:2.14.1 >> | | | +--- org.apache.logging.log4j:log4j-to-slf4j:2.14.1 >> | | | | \--- org.apache.logging.log4j:log4j-api:2.14.1 >> | | | +--- org.apache.logging.log4j:log4j-to-slf4j:2.14.1 >> | | | | \--- org.apache.logging.log4j:log4j-api:2.14.1 >> | | | +--- org.apache.logging.log4j:log4j-to-slf4j:2.14.1 >> | | | | \--- org.apache.logging.log4j:log4j-api:2.14.1 >> | | | +--- org.apache.logging.log4j:log4j-to-slf4j:2.14.1 >> | | | | \--- org.apache.logging.log4j:log4j-api:2.14.1 >> >> $ ./gradlew fineract-provider:dependencies | grep log4j-core >> (nothing) >> >> Hope this helps everyone to sleep well... ;-) >> >> >> On Sat, Dec 11, 2021 at 10:28 AM AirsayLongCon <[email protected]> >> wrote: >> >>> Hello Aleks >>> Thank you for the clarification >>> >>> On Sat, Dec 11, 2021, 10:17 AM Aleksandar Vidakovic < >>> [email protected]> wrote: >>> >>>> Hi, >>>> >>>> ... we are using SLF4J to abstract all the different logging frameworks >>>> (Commons Logging, Log4J etc.). Under the hood logging in Fineract is done >>>> by Logback and not Log4j. The only Log4j dependencies we have are those >>>> that "redirect" the logging to Logback. >>>> >>>> Here's also a vulnerability report for that specific dependency >>>> ("org.apache.logging.log4j:log4j-to-slf4j"): >>>> >>>> https://snyk.io/vuln/maven:org.apache.logging.log4j:log4j-to-slf4j >>>> >>>> FYI >>>> >>>> Cheers, >>>> >>>> Aleks >>>> >>>> On Sat, Dec 11, 2021 at 2:10 AM AirsayLongCon <[email protected]> >>>> wrote: >>>> >>>>> Hello community, >>>>> Are we are of the RCE reportedly affecting log4j >>>>> >>>>> If your organization uses the log4j library, you should upgrade >>>>> to log4j-2.1.50.rc2 immediately. >>>>> >>>>> >>>>> https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java >>>>> >>>>
