Re: Information about Apache Jena and Log4j2 vulnerability.
On 14/12/2021 12:04, jaa...@kolumbus.fi wrote: Hello, Sorry for asking stupid question, but I'm not sure it would be enough to have just the below setting inside the docker container that runs blankdots/jena-fuseki 3.17 image pulled from docker hub. Disclaimer: blankdots/jena-fuseki isn't connected with the Apache Jena project and I don't know that docker build. C:\Users\miettinj>docker exec -it 1a7e /bin/bash root@1a7e400c71aa:/jena-fuseki# echo $JVM_ARGS -Xmx2g -Dlog4j2.formatMsgNoLookups=true root@1a7e400c71aa:/jena-fuseki# Or should I also change the run command as explained below ? If it is Fuseki 3.17 then it needs "-Dlog4j2.formatMsgNoLookups=true". As long as JVM_ARGS propagates to the execution of Fuseki, then you should be good. (It is vulnerable to the unrelated Jena CVE fixed in 4.2.0. [*]) Upgrading is better. https://repo1.maven.org/maven2/org/apache/jena/jena-fuseki-docker/4.3.1/ Andy [*] https://lists.apache.org/thread/qpbfrdty7jt3yfm39hx4p9dp151sd6gm Br, Jaana Andy Seaborne kirjoitti 10.12.2021 16:55: This message is about the effect of CVE-2021-44228 (log4j2) on Fuseki. https://nvd.nist.gov/vuln/detail/CVE-2021-44228 Jena ships log4j2 in Fuseki and the command line tools. The vulnerability of log4j2 does impact Fuseki 3.15 - 3.17, and 4.x. Remote execution is only possible with older versions of Java. Java versions Java 8u121 and Java 11.0.1, and later, set "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false" protecting against remote code execution by default. The workaround of setting "-Dlog4j2.formatMsgNoLookups=true" works with all affected Fuseki versions: JVM_ARGS="-Dlog4j2.formatMsgNoLookups=true" ./fuseki-server Note that Apache Jena 4.2.0 addresses an unrelated Jena-specific CVE https://nvd.nist.gov/vuln/detail/CVE-2021-39239 We will release Jena 4.3.1 with upgraded log4j2. Andy on behalf of the Jena PMC
Re: Information about Apache Jena and Log4j2 vulnerability.
Hello, Sorry for asking stupid question, but I'm not sure it would be enough to have just the below setting inside the docker container that runs blankdots/jena-fuseki 3.17 image pulled from docker hub. C:\Users\miettinj>docker exec -it 1a7e /bin/bash root@1a7e400c71aa:/jena-fuseki# echo $JVM_ARGS -Xmx2g -Dlog4j2.formatMsgNoLookups=true root@1a7e400c71aa:/jena-fuseki# Or should I also change the run command as explained below ? Br, Jaana Andy Seaborne kirjoitti 10.12.2021 16:55: This message is about the effect of CVE-2021-44228 (log4j2) on Fuseki. https://nvd.nist.gov/vuln/detail/CVE-2021-44228 Jena ships log4j2 in Fuseki and the command line tools. The vulnerability of log4j2 does impact Fuseki 3.15 - 3.17, and 4.x. Remote execution is only possible with older versions of Java. Java versions Java 8u121 and Java 11.0.1, and later, set "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false" protecting against remote code execution by default. The workaround of setting "-Dlog4j2.formatMsgNoLookups=true" works with all affected Fuseki versions: JVM_ARGS="-Dlog4j2.formatMsgNoLookups=true" ./fuseki-server Note that Apache Jena 4.2.0 addresses an unrelated Jena-specific CVE https://nvd.nist.gov/vuln/detail/CVE-2021-39239 We will release Jena 4.3.1 with upgraded log4j2. Andy on behalf of the Jena PMC
Re: Information about Apache Jena and Log4j2 vulnerability.
Please don't mix the focus of the thread. This thread is important information about the Apache Jena project. To be clear to the wider audience: RDF Delta is not under the governance of the Apache Jena PMC. Andy Obviously, the published mitigations work with the combined RDF Delta/Fuseki artifact. On 10/12/2021 19:05, Brandon Sara wrote: Andy, will you be releasing an RDF-Delta update that uses 4.3.1 soon as well?
Re: Information about Apache Jena and Log4j2 vulnerability.
Andy, will you be releasing an RDF-Delta update that uses 4.3.1 soon as well? No PHI in Email: PointClickCare and Collective Medical, A PointClickCare Company, policies prohibit sending protected health information (PHI) by email, which may violate regulatory requirements. If sending PHI is necessary, please contact the sender for secure delivery instructions. Confidentiality Notice: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.
Information about Apache Jena and Log4j2 vulnerability.
This message is about the effect of CVE-2021-44228 (log4j2) on Fuseki. https://nvd.nist.gov/vuln/detail/CVE-2021-44228 Jena ships log4j2 in Fuseki and the command line tools. The vulnerability of log4j2 does impact Fuseki 3.15 - 3.17, and 4.x. Remote execution is only possible with older versions of Java. Java versions Java 8u121 and Java 11.0.1, and later, set "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false" protecting against remote code execution by default. The workaround of setting "-Dlog4j2.formatMsgNoLookups=true" works with all affected Fuseki versions: JVM_ARGS="-Dlog4j2.formatMsgNoLookups=true" ./fuseki-server Note that Apache Jena 4.2.0 addresses an unrelated Jena-specific CVE https://nvd.nist.gov/vuln/detail/CVE-2021-39239 We will release Jena 4.3.1 with upgraded log4j2. Andy on behalf of the Jena PMC
