[
https://issues.apache.org/jira/browse/TINKERPOP-2534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17363640#comment-17363640
]
ASF GitHub Bot commented on TINKERPOP-2534:
-------------------------------------------
spmallette opened a new pull request #1444:
URL: https://github.com/apache/tinkerpop/pull/1444
https://issues.apache.org/jira/browse/TINKERPOP-2534
There is a CVE with log4j 1.2 which EOL'd 5 years ago. We haven't really
focused on changing this earlier because log4j is an optional dependency and
can be swapped out by the user to their preferred logging provider given that
we use slf4j. That said, it's better that we simply not include it in our
distributions and docker packaging would work better out of the box without the
CVE struck log4j in the mix. logback is dual licensed, but given that one of
those licenses is under EPL we can make use of it - see
https://issues.apache.org/jira/browse/LEGAL-63 for futher details if needed.
All tests pass with `docker/build.sh -t -n -i`. Logging tested for
server/console distributions and their respective docker containers. Test
logging seems correct as well since Travis passed.
VOTE +1
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
> Log4j flagged as critical security violation
> --------------------------------------------
>
> Key: TINKERPOP-2534
> URL: https://issues.apache.org/jira/browse/TINKERPOP-2534
> Project: TinkerPop
> Issue Type: Improvement
> Components: console, server
> Affects Versions: 3.4.10
> Reporter: Dan Snoddy
> Priority: Major
>
> Gremlin server and console include log4j 1.2, which end-of-life'd > 5 years
> ago.
> Security scanning software (twistlock), flags log4j 1.2 as a critical
> security violation, and hence prohibits deployment.
> CRITICAL:
> Attack complexity: low,Attack vector: network,Critical severity,Remote
> execution
> CVE-2019-17571
> [+https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-17571+]
> {color:#000000}Included in Log4j 1.2 is a SocketServer class that is
> vulnerable to deserialization of untrusted data which can be exploited to
> remotely execute arbitrary code when combined with a deserialization gadget
> when listening to untrusted network traffic for log data. This affects Log4j
> versions up to 1.2 up to 1.2.17.{color}
>
> Is there a plan to remove log4j 1.2 so that installation of either gremlin
> server or console do not include the jars that trigger this security issue?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
