Bagit-Python and Log4j

41 views
Skip to first unread message

Nathan Tallman

unread,
May 10, 2022, 5:08:11 PMMay 10
to Digital Curation
Hi folks,

Penn State's library sys admin team has told me that bagit-python was being flagged as vulnerable to log4j. We were using an older version (1.5.4) and I just updated to the latest (1.8.1), but the latest release also pre-dates the discovery of log4j. But from my understanding, log4j is a Java issue and bagit-python doesn't use java, so I'm a bit confused as to why it's being flagged. Has anyone else run into anything like this at your organizations?

Thanks,
Nathan Tallman
Digital Preservation Librarian
Penn State University Libraries

Kieran O Leary

unread,
May 10, 2022, 5:36:26 PMMay 10
to digital-...@googlegroups.com
Hi Nathan,

I haven't seen this ever crop up, and I'd struggle to think how bagit-python could be affected? It would be great if the sys admin team could give more details in order to clear this up for all of us?

Best,

Kieran O'Leary
Digital Preservation Manager
National Library of Ireland

--
You received this message because you are subscribed to the Google Groups "Digital Curation" group.
To unsubscribe from this group and stop receiving emails from it, send an email to digital-curati...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/digital-curation/f2913c79-37fb-48e6-9b2d-6e079c3df22fn%40googlegroups.com.

Chris Adams

unread,
May 10, 2022, 7:09:08 PMMay 10
to digital-...@googlegroups.com
There’s definitely some confusion there. The only way bagit-python would be connected to log4j would be if you were running it under Jython, which is relatively uncommon and even then would be an issue with whatever else you’re running in addition to bagit. 

My guess would be that this is either a problem with whatever scanning tool they’re using or perhaps simply that the system in question has multiple things installed and they aren’t split in whatever report was sent to you. I’d ask for more details about the exact finding, location, etc.

Chris

On May 10, 2022, at 5:08 PM, Nathan Tallman <nt...@psu.edu> wrote:

Hi folks,
--

Tallman, Nathan

unread,
May 11, 2022, 9:45:37 AMMay 11
to digital-...@googlegroups.com

Thanks, Chris and Kieran. I’m waiting to hear back on the results of the rescan since I updated the module. I suspected this might be a false-positive from the start and based on this and some other feedback, I’m almost certain. I’ll try to find out which tool they are using to identify the vulnerability and see if they can try to scan with another tool. I’ll report back with what I hear.

 

Thanks,

Nathan

 

-- 

Nathan Tallman (he/him)

Schedule a Meeting

Chat with me on Teams

Tallman, Nathan

unread,
May 12, 2022, 10:05:24 AMMay 12
to digital-...@googlegroups.com

So, this turned out to be bagit-java (4.12.0). I forgot that back in 2017 I had pulled it down into a working directory that we no longer use on this server. No false-positive hits on bagit-python. Sorry for the false alarm!

 

Thanks,

Nathan

Kieran O Leary

unread,
May 12, 2022, 4:10:17 PMMay 12
to digital-...@googlegroups.com
Reply all
Reply to author
Forward
0 new messages