log4j security issue and Cytoscape

[Uwe Baumert]

The log4j security issue identified a few days ago (https://logging.apache.org/log4j/2.x/security.html) might also effect Cytoscape 3.9.0 and previous versions. A quick search identified several jar files related to log4j in my CytoscapeConfiguration folder, namely:

log4j-1.2-api-2.3.jar

log4j-1.2.13.jar

log4j-api-2.3.jar

log4j-core-2.3.jar

log4j-slf4j-impl-2.1.jar

I'm using Cytoscape 3.9.0 currently on MacOSX 10.14.6.

Should I replace them with secured jar files from 2.15.0, if available? Any advice?

Thank you very much in advance. Uwe Baumert

[Scooter Morris]

Cytoscape itself only uses log4j 1 and the current CVE is related to log4j 2.x.  There is a Cytoscape app -- sbml -- that uses log4j 2.  There are a couple of ways to avoid this:

1) Remove /Applications/Cytoscape_v3.9.0/apps/sbml-3.4.0.jar

2) Set the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.

3) Remove the JndiLookup class from the classpath: "zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class"  You'll need to unjar the sbml app first and then you can remove the JndiLookup class and recreate the jar.

In the meantime, we're in the process of getting a 3.9.1 release put together.

-- scooter

[Nitish Narula]

Thank you for providing up to date information on this and working on the patch.

I just want to confirm, are Cytoscape versions prior to 3.9.0 affected by this vulnerability?

Best,

Nitish

[Alex Pico]

Hi Nitish,

Cytoscape is comprised of a core application, a set of “core apps,” and user-installed apps.  The core of Cytoscape 3.9.0 is not vulnerable. We have identified 2 apps with the log4j 2.x vulnerability. The SMBL Reader core app (which you can simply remove as Scooter directed or avoid importing .sbml files) and the SyncVis app (which you can simply avoid not installing it). With those actions taken, Cytoscape is not vulnerable.

We will release a 3.9.1 version of Cytoscape which includes an updated version of the SBML Reader core app so you can read .sbml files and still be protected.

 - Alex

-- 
You received this message because you are subscribed to the Google Groups "cytoscape-helpdesk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cytoscape-helpd...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cytoscape-helpdesk/4faea328-89fb-4a5a-b86b-d17fd9bb7e4cn%40googlegroups.com.

[Nitish Narula]

Thanks, Alex.

Can I assume the core functionality of versions prior to 3.9.0 is also not vulnerable? I ask because we currently have three such version installed on our cluster to allow reproducibility for our users. We do not yet provide 3.9.0. Should I plan to remove these versions when 3.9.1 is available?

Secondly, is it safe to ask users to remove the CytoscapeConfiguration directory in their home folders once we make 3.9.1 available?

Best,

Nitish

[Alex Pico]

Right. None of the versions of Cytoscape’s core functionality are vulnerable. The SBML Reader core app (that is installed with the distribution of Cytoscape) is vulnerable. This is the case for 3.9.0 and older versions.

If you remove the SBML app (/Applications/Cytoscape_v3.9.0/apps/sbml-3.4.0.jar), then you can make Cytoscape 3.9.0 and any older version of Cytoscape safe. You can also instruct users to not import .sbml files into Cytoscape. That would also keep Cytoscape 3.9.0 and all older versions safe.

Cytoscape 3.9.1 will include an updated SBML Reader core app so that you can work with .sbml file again without worry. You will not need to remove the CytoscapeConfiguration dir. You only need to click “update” when prompted by the launch screen after 3.9.1 is released. The installation will update all Cytoscape components, including the SBML Reader core app. No other actions will be required by Cytoscape users. 

 - Alex

To view this discussion on the web visit https://groups.google.com/d/msgid/cytoscape-helpdesk/9842290b-f754-40af-b08c-a75a49cb3fcdn%40googlegroups.com.

[Nitish Narula]

Thanks a lot for the information. I am going to remove the  sbml-3.4.0.jar.

I am not sure if you can answer the following questions:

1. Our security teams are highlighting certain files that show up because of Cytoscape. This includes the ones in the CytoscapeConfiguration directory that the user mentioned above, something like:

${HOME}/CytoscapeConfiguration/3/karaf_data/cache/bundle[XYZ]/version0.0/bundle.jar-embedded/log4j-*.jar

They are recreated every time a restarts Cytoscape. The JAR files contain the JndiLookup class. Any suggestion how we should deal with this? I am assuming 3.9.1 will include the newer fixed log4j JAR, which would be final solution.

2. Similarly, this file is being flagged in the Cytoscape installation directory (versions 3.7.1 and 3.8.2):

framework/system/org/ops4j/pax/logging/pax-logging-log4j2/1.10.1/pax-logging-log4j2-1.10.1.jar

This also contains the JndiLookup class. Can I remove this class from this JAR file and expect Cytoscape to function normally?

I really appreciate your help.

Nitish

[Alex Pico]

Thank you for sharing these reports, Nitish! This is new information to me. We will look into this and will reply soon...

Short answer: you can not remove pax-logging-log4j2-1.10.1.jar and expect Cytoscape to work. You would need to wait for version 3.9.1 or try the other suggestions that Scooter provided earlier:

2) Set the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.

3) Remove the JndiLookup class from the classpath: "zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class"  You'll need to unjar the sbml app first and then you can remove the JndiLookup class and recreate the jar.

 - Alex

To view this discussion on the web visit https://groups.google.com/d/msgid/cytoscape-helpdesk/2edaefe2-1fea-4725-a4d8-d69565709188n%40googlegroups.com.

[Alex Pico]

Nitish,

We have updated our vulnerability message based on the information you shared. Thanks again!

Indeed, the current 3.9.0 version of Cytoscape (and older versions) are vulnerable to attack strings inserted into sabotaged data and network files from online sources (not just .sbml files). This also means the vulnerability extends to many apps that use the version of log4j provided by Karaf, via Cytoscape. 

While it’s still takes quite a bit of imagination to envision an actual attack via Cytoscape, we would recommend that users, in general, should exercise caution when importing files form online sources during this time.

Actions to temporarily fix a current Cytoscape installation include the two steps mentioned before:

2) Set the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.

3) Remove the JndiLookup class from the classpath: "zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class"  You'll need to unjar the sbml app first and then you can remove the JndiLookup class and recreate the jar.

The new 3.9.1 version of Cytoscape will resolve this security issue for its core components and all third-party apps that use the provided log4j.

 - Alex

[Uwe Baumert]

Dear Scooter,

thank you very much for your detailed feedback. Currently, I'm not working with SBML files or the SBML app, so I should be save. Additionally, I'll remove the sbml-3.4.0.jar file from the apps folder.

Uwe Baumert