Hello,
Sorry for asking stupid question, but I'm not sure it would be enough to
have just the below setting inside the docker container that runs
blankdots/jena-fuseki 3.17 image pulled from docker hub.
C:\Users\miettinj>docker exec -it 1a7e /bin/bash
root@1a7e400c71aa:/jena-fuseki# echo $JVM_ARGS
-Xmx2g -Dlog4j2.formatMsgNoLookups=true
root@1a7e400c71aa:/jena-fuseki#
Or should I also change the run command as explained below ?
Br, Jaana
Andy Seaborne kirjoitti 10.12.2021 16:55:
This message is about the effect of CVE-2021-44228 (log4j2) on Fuseki.
https://nvd.nist.gov/vuln/detail/CVE-2021-44228
Jena ships log4j2 in Fuseki and the command line tools.
The vulnerability of log4j2 does impact Fuseki 3.15 - 3.17, and 4.x.
Remote execution is only possible with older versions of Java.
Java versions Java 8u121 and Java 11.0.1, and later, set
"com.sun.jndi.rmi.object.trustURLCodebase"
and
"com.sun.jndi.cosnaming.object.trustURLCodebase"
to "false" protecting against remote code execution by default.
The workaround of setting "-Dlog4j2.formatMsgNoLookups=true" works
with all affected Fuseki versions:
JVM_ARGS="-Dlog4j2.formatMsgNoLookups=true" ./fuseki-server ....
Note that Apache Jena 4.2.0 addresses an unrelated Jena-specific CVE
https://nvd.nist.gov/vuln/detail/CVE-2021-39239
We will release Jena 4.3.1 with upgraded log4j2.
Andy
on behalf of the Jena PMC
