log4j in the hyrax image
6 views
Skip to first unread message
![Ashkar, Jihad S. (GSFC-619.0)[SCIENCE SYSTEMS AND APPLICATIONS INC]'s profile photo](http://lh3.googleusercontent.com/a-/ALV-UjVzhwsLMwLBVLe41E6OfwIKl_1LqTceS9qKOdobZr09a5qb2Q=s40-c)
Ashkar, Jihad S. (GSFC-619.0)[SCIENCE SYSTEMS AND APPLICATIONS INC]
Dec 27, 2021, 3:24:42 PM12/27/21
to OPeNDAP Support
Hi,
Is there a reason why log4j is installed in the hyrax images?
docker run -it --entrypoint /bin/sh opendap/hyrax:1.16.4 -c 'rpm -qa | grep log4j'
log4j-1.2.17-16.el7_4.noarch
If it’s not used by hyrax, can it be removed from the image?
Thanks,
Jihad Ashkar
James Gallagher
Dec 28, 2021, 11:32:14 AM12/28/21
to Ashkar, Jihad S. (GSFC-619.0)[SCIENCE SYSTEMS AND APPLICATIONS INC], Potter Nathan, Gallagher James, OPeNDAP Support
That copy of log4j is part of tomcat and it’s a version 1.2.x copy of the library that, according to multiple sources, is not vulnerable to the security issue that some of the version 2.x copies of the library are.
I can get you more information if you need it.
James
Thanks,Jihad Ashkar
Ashkar, Jihad S. (GSFC-619.0)[SCIENCE SYSTEMS AND APPLICATIONS INC]
Dec 28, 2021, 11:41:36 AM12/28/21
to James Gallagher, Potter, Nathan (GSFC-4230)[OPENDAP, INC.], OPeNDAP Support
Ok. Thanks!
Jihad
Nathan Potter
Jan 10, 2022, 11:38:37 AM1/10/22
to Ashkar, Jihad S. (GSFC-619.0)[SCIENCE SYSTEMS AND APPLICATIONS INC], Nathan Potter, OPeNDAP Support
Hi Jihad,
It's not clear to me if you received a response, if not I apologize.
The docker container that we use to deploy the Hyrax application is based on CentOS-7.latest running Tomcat version 7.0.76 release 16.el7_9 installed from rpm using yum. Tomcat is a java application and includes (via an rpm dependency) the Log4j-1.2.17 library, installed from rpm.
As of 12:55 ET 12/17/2021 the Mitigation section of the Apache Log4j website’s security page here: https://logging.apache.org/log4j/2.x/security.html
States that:
> Log4j 1.x mitigation: Log4j 1.x is not impacted by this vulnerability.
If you have a look at our DockerHub you can see that the Snyk tool has stated that the Log4j issue does not affect Hyrax-1.16.4:
https://hub.docker.com/layers/opendap/hyrax/1.16.4/images/sha256-c22ab8fb7c0a7191cbe4d8b3c548cc7ba9bf487c88c6019a8e81488bab07cdb0?context=explore
We have just released 1.16.5. You can read about the release here:
https://www.opendap.org/software/hyrax/1.16
And 1.16.5 is also available on DockerHub.
I hope that this addresses your concerns.
Sincerely,
Nathan
= = =
Nathan Potter ndp at opendap.org
OPeNDAP, Inc. +1.541.231.3317
It's not clear to me if you received a response, if not I apologize.
The docker container that we use to deploy the Hyrax application is based on CentOS-7.latest running Tomcat version 7.0.76 release 16.el7_9 installed from rpm using yum. Tomcat is a java application and includes (via an rpm dependency) the Log4j-1.2.17 library, installed from rpm.
As of 12:55 ET 12/17/2021 the Mitigation section of the Apache Log4j website’s security page here: https://logging.apache.org/log4j/2.x/security.html
States that:
> Log4j 1.x mitigation: Log4j 1.x is not impacted by this vulnerability.
If you have a look at our DockerHub you can see that the Snyk tool has stated that the Log4j issue does not affect Hyrax-1.16.4:
https://hub.docker.com/layers/opendap/hyrax/1.16.4/images/sha256-c22ab8fb7c0a7191cbe4d8b3c548cc7ba9bf487c88c6019a8e81488bab07cdb0?context=explore
We have just released 1.16.5. You can read about the release here:
https://www.opendap.org/software/hyrax/1.16
And 1.16.5 is also available on DockerHub.
I hope that this addresses your concerns.
Sincerely,
Nathan
Nathan Potter ndp at opendap.org
OPeNDAP, Inc. +1.541.231.3317
Reply all
Reply to author
Forward
0 new messages