[jira] [Commented] (TINKERPOP-2534) Log4j flagged as critical security violation

Tue, 16 Mar 2021 10:48:09 -0700 


    [ 
https://issues.apache.org/jira/browse/TINKERPOP-2534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17302744#comment-17302744
 ] 

Stephen Mallette commented on TINKERPOP-2534:
---------------------------------------------

log4j is an {{<optional>}} dependency for both console and server and i think 
{{<scope>test</scope>}} in all other places. I imagine the latter isn't a huge 
security concern and the former at least fixable by the user as they may use 
any slf4j enabled logger they wish (i.e. log4j can be removed iwithout impact 
to operations of console or server). That said, I suppose we could upgrade, 
especially along the 3.5.0 line. 

I tried doing this upgrade once before and was met with problems with 
spark/hadoop but I'm not sure why that mattered exactly and, of course, I 
didn't' comment what those problems were:

https://issues.apache.org/jira/browse/TINKERPOP-1983

I will make an effort to upgrade along the 3.5.0 line and see if I can quickly 
encounter the problem i was having. 

> Log4j flagged as critical security violation
> --------------------------------------------
>
>                 Key: TINKERPOP-2534
>                 URL: https://issues.apache.org/jira/browse/TINKERPOP-2534
>             Project: TinkerPop
>          Issue Type: Improvement
>          Components: console, server
>    Affects Versions: 3.4.10
>            Reporter: Dan Snoddy
>            Priority: Major
>
> Gremlin server and console include log4j 1.2, which end-of-life'd > 5 years 
> ago. 
> Security scanning software (twistlock), flags log4j 1.2 as a critical 
> security violation, and hence prohibits deployment.
> CRITICAL:
> Attack complexity: low,Attack vector: network,Critical severity,Remote 
> execution
> CVE-2019-17571
> [+https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-17571+]
> {color:#000000}Included in Log4j 1.2 is a SocketServer class that is 
> vulnerable to deserialization of untrusted data which can be exploited to 
> remotely execute arbitrary code when combined with a deserialization gadget 
> when listening to untrusted network traffic for log data. This affects Log4j 
> versions up to 1.2 up to 1.2.17.{color}
>  
> Is there a plan to remove log4j 1.2 so that installation of either gremlin 
> server or console do not include the jars that trigger this security issue?



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to