Re: Request for adding log4j 2.17.1 to Fuseki Jena

Mon, 03 Jan 2022 03:31:02 -0800 

That has already been addressed and will be provided with Jena 4.4.0:

https://issues.apache.org/jira/browse/JENA-2233?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aall-tabpanel

I doubt there will be another minor version 4.3.3, Andy?
You could built the Docker image from sources, just checkout the latest code. Indeed, it's still a SNAPSHOT version, but you could also make your own version out of it if you have no time to wait for 4.4.0 

On 03.01.22 10:42, Erik Bijsterbosch wrote:

Hi there,

I ran a docker scan on a Fuseki Jena 4.3.2 image which I built with the
latest version:
https://repo1.maven.org/maven2/org/apache/jena/jena-fuseki-server/4.3.2/

This image still contains log4j vulnerabilities fom version 2.16.0.
These are supposed to be fixed in version 2.17.1
I also had to upgrade versions in de Dockerfile for openjdk en alpine to
get rid off more vulnerabilities:

ARG OPENJDK_VERSION=17
ARG ALPINE_VERSION=3.15.0

1) Is there a way to set the log4j version yourself?

2) Can log4j version 2.17.1 be implemented in Fuseki Jena 4.3.3?

Regards,
Erik

scan.log
  - - - - - -

Testing docker.io/library/fuskeki-local...

Tested 58 dependencies for known issues, found 3 issues.


Issues with no direct upgrade or patch:
   ✗ Denial of Service (DoS) [Medium Severity][
https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-2326698] in
com.fasterxml.jackson.core:[email protected]
     introduced by org.apache.jena:[email protected] >
com.fasterxml.jackson.core:[email protected]
   This issue was fixed in versions: 2.13.1, 2.12.6
   ✗ Denial of Service (DoS) [High Severity][
https://snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2321524] in
org.apache.logging.log4j:[email protected]
     introduced by org.apache.jena:[email protected] >
org.apache.logging.log4j:[email protected]
   This issue was fixed in versions: 2.3.1, 2.12.3, 2.17.0
   ✗ Arbitrary Code Execution [Medium Severity][
https://snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339] in
org.apache.logging.log4j:[email protected]
     introduced by org.apache.jena:[email protected] >
org.apache.logging.log4j:[email protected]
   This issue was fixed in versions: 2.3.2, 2.12.4, 2.17.1

Reply via email to