[
https://issues.apache.org/jira/browse/BEAM-14069?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17511444#comment-17511444
]
Kyle Weaver commented on BEAM-14069:
------------------------------------
It looks like there are a couple transitive dependencies that pull in log4j
1.2.17. Neither looks like a security concern, nor can Beam really do anything
about them.
1. com.google.uzaygezen, depended upon by Calcite. It hasn't had a release
since 2014. Used only in a utility for calculating Hilbert curves.
https://github.com/apache/calcite/blob/4bc916619fd286b2c0cc4d5c653c96a68801d74e/core/src/main/java/org/apache/calcite/runtime/HilbertCurve2D.java
This was brought up on the Calcite mailing list, and someone pointed out that
the uzaygezen library includes log4j but doesn't use it.
https://lists.apache.org/thread/c1rpshzc8qo9rz8y4f3b8y26rn7fcp8z Plus Beam does
not use the Calcite spatial functions that depend on it.
2. commons-logging, which is listed by a number of transitive dependencies.
commons-logging also hasn't had a release since 2014. Even here log4j is an
*optional* dependency.
https://repo1.maven.org/maven2/commons-logging/commons-logging/1.2/commons-logging-1.2.pom
And the Flink job server explicitly excludes commons-logging from the build in
the first place.
https://github.com/apache/beam/blob/b9846fbc03257b408c92d1ad4a124e2e1e9616b4/runners/flink/job-server/flink_job_server.gradle#L76
Spotbugs is used in our build, but is never shipped in any release artifacts.
> Traces of Log4j 1.x inside of beam-runners-flink-1.13-job-server-2.36.0.jar
> ----------------------------------------------------------------------------
>
> Key: BEAM-14069
> URL: https://issues.apache.org/jira/browse/BEAM-14069
> Project: Beam
> Issue Type: Bug
> Components: runner-flink
> Affects Versions: 2.36.0
> Reporter: Ohad Pinchevsky
> Priority: P1
>
> Log4j 1.x is EOL, still traces of it found inside
> beam-runners-flink-1.13-job-server-2.36.0.jar
> Path to pom.xml with that version:
> /beam-runners-flink-1.13-job-server-2.36.0/META-INF/maven/log4j/log4j/pom.xml
> Inside version tag: 1.2.17
>
> Also SpotBugs Annotations4.0.0-beta1
> Apache Log4j JNDI features used in configuration, log messages, and
> parameters do not protect against attacker controlled LDAP and other JNDI
> related endpoints. An attacker who can control log messages or log message
> parameters can execute arbitrary code loaded from LDAP servers when message
> lookup substitution is enabled. [CVE-2021-44228]
> Vendor Affected Components:
> SpotBugs ≤ 4.5.1
>
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
