On 03/01/2022 11:30, Lorenz Buehmann wrote:
That has already been addressed and will be provided with Jena 4.4.0:
https://issues.apache.org/jira/browse/JENA-2233?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aall-tabpanel
I doubt there will be another minor version 4.3.3, Andy?
I don't see a reason at the moment. As is normal in these incidents, new
information and attack variations appear as after-shock so that might
chnage.
It takes a compromised machine or compromised setup of the server to
exploit the ones addressed in 2.17.0 and 2.17.1.
The project has only so much bandwidth.
Andy
You could built the Docker image from sources, just checkout the latest
code. Indeed, it's still a SNAPSHOT version, but you could also make
your own version out of it if you have no time to wait for 4.4.0
On 03.01.22 10:42, Erik Bijsterbosch wrote:
Hi there,
I ran a docker scan on a Fuseki Jena 4.3.2 image which I built with the
latest version:
https://repo1.maven.org/maven2/org/apache/jena/jena-fuseki-server/4.3.2/
This image still contains log4j vulnerabilities fom version 2.16.0.
These are supposed to be fixed in version 2.17.1
I also had to upgrade versions in de Dockerfile for openjdk en alpine to
get rid off more vulnerabilities:
ARG OPENJDK_VERSION=17
ARG ALPINE_VERSION=3.15.0
1) Is there a way to set the log4j version yourself?
2) Can log4j version 2.17.1 be implemented in Fuseki Jena 4.3.3?
Regards,
Erik
scan.log
- - - - - -
Testing docker.io/library/fuskeki-local...
Tested 58 dependencies for known issues, found 3 issues.
Issues with no direct upgrade or patch:
✗ Denial of Service (DoS) [Medium Severity][
https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-2326698] in
com.fasterxml.jackson.core:jackson-databind@2.13.0
introduced by org.apache.jena:jena-fuseki-server@4.3.2 >
com.fasterxml.jackson.core:jackson-databind@2.13.0
This issue was fixed in versions: 2.13.1, 2.12.6
✗ Denial of Service (DoS) [High Severity][
https://snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2321524] in
org.apache.logging.log4j:log4j-core@2.16.0
introduced by org.apache.jena:jena-fuseki-server@4.3.2 >
org.apache.logging.log4j:log4j-core@2.16.0
This issue was fixed in versions: 2.3.1, 2.12.3, 2.17.0
✗ Arbitrary Code Execution [Medium Severity][
https://snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339] in
org.apache.logging.log4j:log4j-core@2.16.0
introduced by org.apache.jena:jena-fuseki-server@4.3.2 >
org.apache.logging.log4j:log4j-core@2.16.0
This issue was fixed in versions: 2.3.2, 2.12.4, 2.17.1