Hi,
Appreciate the feedback!
At this point. Should we just use the latest axis2-1.8.0.war and patch the
lower log4j 2.14.1 version to the newer 2.17.0? Has that been done and proven
to work on your end?
When can we expect the 1.8.1 to be available?
Thanks.
From: robertlazarski <robertlazar...@gmail.com>
Reply-To: "java-user@axis.apache.org" <java-user@axis.apache.org>
Date: Wednesday, January 26, 2022 at 4:12 PM
To: "java-user@axis.apache.org" <java-user@axis.apache.org>
Subject: {EXTERNAL} Re: [Axis2] log4j inquiry
CAUTION: The message originated from an EXTERNAL SOURCE. Please use caution
when opening attachments, clicking links or responding to this email.
The latest log4j2 is 2.17.1. That's the version used in our pom.xml in git.
1.6.x actually ships with log4j 1.x.
The Axis2 release of 1.8.0 shipped log4j2 jars, which unfortunately needs to be
patched manually via the latest jars.
We'll be releasing 1.8.1 soon that will fix that.
On Wed, Jan 26, 2022 at 11:02 AM Malaluan, Jay Joel
<jayjoel.malal...@ethoca.com<mailto:jayjoel.malal...@ethoca.com>> wrote:
Hi,
During December 2021. There was a log4j wide vulnerability. For reference,
https://logging.apache.org/log4j/2.x/security.html<https://urldefense.proofpoint.com/v2/url?u=https-3A__logging.apache.org_log4j_2.x_security.html&d=DwMFaQ&c=uc5ZRXl8dGLM1RMQwf7xTCjRqXF0jmCF6SP0bDlmMmY&r=hc9bwdFw8sJsbdEABM0jCpfJB8-LDvJKi1_pcJ8IQFM&m=OQKLdvq-NJtNS2JLAnlAITqgpCt82FE9MTw7MAARzLphcfM6pz0ZVYzt7dvOK4T7&s=fFJ4YhLkSmm921HT2myoEbQFHLEg6hmAiZnmqQLdJkM&e=>.
At that time our company did some patching to address our vulnerable components.
We use a very old version of the axis2.war which is v1.6.x. Based from our
internal scan. It was found that it has axis2/WEB-INF/lib/log4j-1.2.15.jar.
Our security team's recommended fix should be >= log4j 2.16.0
Looking at the latest available release in
https://axis.apache.org/axis2/java/core/download.html<https://urldefense.proofpoint.com/v2/url?u=https-3A__axis.apache.org_axis2_java_core_download.html&d=DwMFaQ&c=uc5ZRXl8dGLM1RMQwf7xTCjRqXF0jmCF6SP0bDlmMmY&r=hc9bwdFw8sJsbdEABM0jCpfJB8-LDvJKi1_pcJ8IQFM&m=OQKLdvq-NJtNS2JLAnlAITqgpCt82FE9MTw7MAARzLphcfM6pz0ZVYzt7dvOK4T7&s=qcira8lBu5-hac7RtG7Hq-03jnlc6e0wutc0paYij6s&e=>.
It's axis2-1.8.0.war. And when I peeked inside. The log4j libraries versions
are still 2.14.1.
WEB-INF/lib/log4j-api-2.14.1.jar
WEB-INF/lib/log4j-core-2.14.1.jar
WEB-INF/lib/log4j-jcl-2.14.1.jar
Basing from the site,
https://logging.apache.org/log4j/2.x/security.html<https://urldefense.proofpoint.com/v2/url?u=https-3A__logging.apache.org_log4j_2.x_security.html&d=DwMFaQ&c=uc5ZRXl8dGLM1RMQwf7xTCjRqXF0jmCF6SP0bDlmMmY&r=hc9bwdFw8sJsbdEABM0jCpfJB8-LDvJKi1_pcJ8IQFM&m=OQKLdvq-NJtNS2JLAnlAITqgpCt82FE9MTw7MAARzLphcfM6pz0ZVYzt7dvOK4T7&s=fFJ4YhLkSmm921HT2myoEbQFHLEg6hmAiZnmqQLdJkM&e=>.
It should be 2.17.0 (for Java 8 and later).
Is there a newer axis2.war release that have the latest 2.17.x log4j library
version?
Thanks.
Jay Malaluan
Software Development Engineer II
Mastercard
[signature_1486368188]<http://www.mastercard.com/>
CONFIDENTIALITY NOTICE This e-mail message and any attachments are only for the
use of the intended recipient and may contain information that is privileged,
confidential or exempt from disclosure under applicable law. If you are not the
intended recipient, any disclosure, distribution or other use of this e-mail
message or attachments is prohibited. If you have received this e-mail message
in error, please delete and notify the sender immediately. Thank you.
