Re: Request for adding log4j 2.17.1 to Fuseki Jena

Mon, 03 Jan 2022 03:50:22 -0800 



On 03/01/2022 11:30, Lorenz Buehmann wrote:

That has already been addressed and will be provided with Jena 4.4.0:


https://issues.apache.org/jira/browse/JENA-2233?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aall-tabpanel 



I doubt there will be another minor version 4.3.3, Andy?



I don't see a reason at the moment. As is normal in these incidents, new 
information and attack variations appear as after-shock so that might 
chnage.



It takes a compromised machine or compromised setup of the server to 
exploit the ones addressed in 2.17.0 and 2.17.1.


The project has only so much bandwidth.

    Andy


You could built the Docker image from sources, just checkout the latest 
code. Indeed, it's still a SNAPSHOT version, but you could also make 
your own version out of it if you have no time to wait for 4.4.0


On 03.01.22 10:42, Erik Bijsterbosch wrote:

Hi there,

I ran a docker scan on a Fuseki Jena 4.3.2 image which I built with the
latest version:
https://repo1.maven.org/maven2/org/apache/jena/jena-fuseki-server/4.3.2/

This image still contains log4j vulnerabilities fom version 2.16.0.
These are supposed to be fixed in version 2.17.1
I also had to upgrade versions in de Dockerfile for openjdk en alpine to
get rid off more vulnerabilities:

ARG OPENJDK_VERSION=17
ARG ALPINE_VERSION=3.15.0

1) Is there a way to set the log4j version yourself?

2) Can log4j version 2.17.1 be implemented in Fuseki Jena 4.3.3?

Regards,
Erik

scan.log
  - - - - - -

Testing docker.io/library/fuskeki-local...

Tested 58 dependencies for known issues, found 3 issues.


Issues with no direct upgrade or patch:
   ✗ Denial of Service (DoS) [Medium Severity][
https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-2326698] in
com.fasterxml.jackson.core:jackson-databind@2.13.0
     introduced by org.apache.jena:jena-fuseki-server@4.3.2 >
com.fasterxml.jackson.core:jackson-databind@2.13.0
   This issue was fixed in versions: 2.13.1, 2.12.6
   ✗ Denial of Service (DoS) [High Severity][
https://snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2321524] in
org.apache.logging.log4j:log4j-core@2.16.0
     introduced by org.apache.jena:jena-fuseki-server@4.3.2 >
org.apache.logging.log4j:log4j-core@2.16.0
   This issue was fixed in versions: 2.3.1, 2.12.3, 2.17.0
   ✗ Arbitrary Code Execution [Medium Severity][
https://snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339] in
org.apache.logging.log4j:log4j-core@2.16.0
     introduced by org.apache.jena:jena-fuseki-server@4.3.2 >
org.apache.logging.log4j:log4j-core@2.16.0
   This issue was fixed in versions: 2.3.2, 2.12.4, 2.17.1























					Reply via email to