Thank you, Michael, Aleks and Airsay! On Tue, Dec 14, 2021 at 12:48 AM Ed Cable <[email protected]> wrote:
> Thank you Airsay for raising this to the community and their Aleks and > Michael for clarifying in the exposure and impact for the Fineract > community. > > Ed > > On Sun, Dec 12, 2021, 08:12 Isaac Kamga <[email protected]> wrote: > >> Thanks for the reassurance Michael. >> >> On Sat, Dec 11, 2021 at 09:16 Michael Vorburger <[email protected]> >> wrote: >> >>> Independently confirming this - relax everyone! (As in, you can relax >>> for Fineract. Don't relax for anything else you are responsible for - do >>> check any other code you have, this security vulnerability is as bad they >>> can get; the Internet is rightfully on fire about this.) >>> >>> https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot >>> (which I found while working on >>> https://github.com/vorburger/MariaDB4j/issues/509) has some related >>> background; TL;DR: *"The log4j-to-slf4j and log4j-api jars that we >>> include in spring-boot-starter-logging cannot be exploited on their own. >>> Only applications using log4j-core and including user input in log messages >>> are vulnerable."* >>> >>> Or, more technically: >>> >>> $ ./gradlew fineract-provider:dependencies | grep log4j >>> | | | +--- org.apache.logging.log4j:log4j-to-slf4j:2.14.1 >>> | | | | \--- org.apache.logging.log4j:log4j-api:2.14.1 >>> | | | +--- org.apache.logging.log4j:log4j-to-slf4j:2.14.1 >>> | | | | \--- org.apache.logging.log4j:log4j-api:2.14.1 >>> | | | +--- org.apache.logging.log4j:log4j-to-slf4j:2.14.1 >>> | | | | \--- org.apache.logging.log4j:log4j-api:2.14.1 >>> | | | +--- org.apache.logging.log4j:log4j-to-slf4j:2.14.1 >>> | | | | \--- org.apache.logging.log4j:log4j-api:2.14.1 >>> | | | +--- org.apache.logging.log4j:log4j-to-slf4j:2.14.1 >>> | | | | \--- org.apache.logging.log4j:log4j-api:2.14.1 >>> | | | +--- org.apache.logging.log4j:log4j-to-slf4j:2.14.1 >>> | | | | \--- org.apache.logging.log4j:log4j-api:2.14.1 >>> >>> $ ./gradlew fineract-provider:dependencies | grep log4j-core >>> (nothing) >>> >>> Hope this helps everyone to sleep well... ;-) >>> >>> >>> On Sat, Dec 11, 2021 at 10:28 AM AirsayLongCon <[email protected]> >>> wrote: >>> >>>> Hello Aleks >>>> Thank you for the clarification >>>> >>>> On Sat, Dec 11, 2021, 10:17 AM Aleksandar Vidakovic < >>>> [email protected]> wrote: >>>> >>>>> Hi, >>>>> >>>>> ... we are using SLF4J to abstract all the different logging >>>>> frameworks (Commons Logging, Log4J etc.). Under the hood logging in >>>>> Fineract is done by Logback and not Log4j. The only Log4j dependencies we >>>>> have are those that "redirect" the logging to Logback. >>>>> >>>>> Here's also a vulnerability report for that specific dependency >>>>> ("org.apache.logging.log4j:log4j-to-slf4j"): >>>>> >>>>> https://snyk.io/vuln/maven:org.apache.logging.log4j:log4j-to-slf4j >>>>> >>>>> FYI >>>>> >>>>> Cheers, >>>>> >>>>> Aleks >>>>> >>>>> On Sat, Dec 11, 2021 at 2:10 AM AirsayLongCon <[email protected]> >>>>> wrote: >>>>> >>>>>> Hello community, >>>>>> Are we are of the RCE reportedly affecting log4j >>>>>> >>>>>> If your organization uses the log4j library, you should upgrade >>>>>> to log4j-2.1.50.rc2 immediately. >>>>>> >>>>>> >>>>>> https://www.huntress.com/blog/rapid-response-critical-rce-vulnerability-is-affecting-java >>>>>> >>>>> -- Disclaimer: Privileged & confidential information is contained in this message (including all attachments). If you are not an intended recipient of this message, please destroy this message immediately and kindly notify the sender by reply e-mail. Any unauthorised use or dissemination of this message in any manner whatsoever, in whole or in part, is strictly prohibited. This e-mail, including all attachments hereto, (i) is for discussion purposes only and shall not be deemed or construed to be a professional opinion unless expressly stated otherwise, and (ii) is not intended, written or sent to be used, and cannot and shall not be used, for any unlawful purpose. This communication, including any attachments, may not be free of viruses, interceptions or interference, and may not be compatible with your systems. You should carry out your own virus checks before opening any attachment to this e-mail. The sender of this e-mail and *Fynarfin Tech Private Limited* shall not be liable for any damage that you may sustain as a result of viruses, incompleteness of this message, a delay in receipt of this message or computer problems experienced.
