See
https://issues.apache.org/jira/browse/JENA-2233
https://issues.apache.org/jira/browse/JENA-2224
https://github.com/apache/jena/blob/main/pom.xml
for the releases currently in the main branch which will be in the next
version 4.4.0
log4j2: 2.17.1
jackson: 2.13.1
Note: Jena does not use Jackson itself - it gets via a dependency.
To make sure we ship a version without already-addressed
vulnerabilities, we exclude it via the dependency route and select the
version ourselves.
On 03/01/2022 09:42, Erik Bijsterbosch wrote:
Hi there,
I ran a docker scan on a Fuseki Jena 4.3.2 image which I built with the
latest version:
https://repo1.maven.org/maven2/org/apache/jena/jena-fuseki-server/4.3.2/
This image still contains log4j vulnerabilities fom version 2.16.0.
These are supposed to be fixed in version 2.17.1
I also had to upgrade versions in de Dockerfile for openjdk en alpine to
get rid off more vulnerabilities:
ARG OPENJDK_VERSION=17
ARG ALPINE_VERSION=3.15.0
With those settings, does the built docker Fuseki function correctly?
1) Is there a way to set the log4j version yourself?
Firstly - consider the attack vector.
Second - review the mitigations.
https://logging.apache.org/log4j/2.x/security.html
CVE-2021-44832:
"""
an attacker with permission to modify the logging configuration file can
construct a malicious configuration using a JDBC Appender with a data
source referencing a JNDI URI
"""
CVE-2021-45105:
"""
When the logging configuration uses a non-default Pattern Layout with a
Context Lookup (for example, $${ctx:loginId})
"""
The built-in Fuseki configuration and the one in jena-fuseki-docker do
not use a JDBC appender nor do they use the "${}" feature.
- can the attacker get access to the docker image build process?
- can the attacker get access to the running docker container?
----
There are various ways to modify the jar of dockerfile to use a
different version of log4j.
A - invoke with "java -cp", not "java -jar" and put your choice of log4j
on classpath before the jena-fuseki-server.jar.
The "main" class is org.apache.jena.fuseki.main.cmds.FusekiMainCmd
B - Modify itself jena-fuskei-server jar.
jar files are zip files from the maven-shade-plugin. You can replace the
files in the zip file.
C - Jena is open source. Get the 4.3.2 sources, change the log4j
version, the rebuild. Probably best to give Jena a special version number.
2) Can log4j version 2.17.1 be implemented in Fuseki Jena 4.3.3?
See above.
Andy
Regards,
Erik
scan.log
- - - - - -
Testing docker.io/library/fuskeki-local...
Tested 58 dependencies for known issues, found 3 issues.
Issues with no direct upgrade or patch:
✗ Denial of Service (DoS) [Medium Severity][
https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-2326698] in
com.fasterxml.jackson.core:jackson-databind@2.13.0
introduced by org.apache.jena:jena-fuseki-server@4.3.2 >
com.fasterxml.jackson.core:jackson-databind@2.13.0
This issue was fixed in versions: 2.13.1, 2.12.6
✗ Denial of Service (DoS) [High Severity][
https://snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2321524] in
org.apache.logging.log4j:log4j-core@2.16.0
introduced by org.apache.jena:jena-fuseki-server@4.3.2 >
org.apache.logging.log4j:log4j-core@2.16.0
This issue was fixed in versions: 2.3.1, 2.12.3, 2.17.0
✗ Arbitrary Code Execution [Medium Severity][
https://snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339] in
org.apache.logging.log4j:log4j-core@2.16.0
introduced by org.apache.jena:jena-fuseki-server@4.3.2 >
org.apache.logging.log4j:log4j-core@2.16.0
This issue was fixed in versions: 2.3.2, 2.12.4, 2.17.1