Drools Log4j Security Vulnerability

[Techie]

Hi All,

Does anyone know if Drools uses Log4j internally which has the Day-Zero security vulnerability

Log4j – Apache Log4j Security Vulnerabilities

Thanks

[Matteo Mortari]

Hi,

Drools (https://github.com/kiegroup/drools) internally have been using SLF4J (http://www.slf4j.org) for a long time, so to answer your question, no.

Only some examples might have been using Log4j as a logging backend, but still from SLF4J; so unless you import and use the Log4j API in *your* application code that again is not impacting.

Please avoid cross-posting, I've seen this message both on drools-usage and drools-development mailing-list. Ref: https://drools.org/community/getHelp.html

Hope this helps,

MM

--
You received this message because you are subscribed to the Google Groups "Drools Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to drools-developm...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/drools-development/efbfdc9a-6d07-4d33-be3a-472f216063a9n%40googlegroups.com.

--

Matteo Mortari

linkedin.com/in/matteomortari

youtube.com/MatteoMortari

[shre...@gmail.com]

Hello Matteo,

I have scanned the drools repo for kie-wb distributions with the utility here: https://github.com/logpresso/CVE-2021-44228-Scanner

The results say that there are vulnerabilities as below:

java -jar logpresso-log4j2-scan-1.2.2.jar /Users/shreyash/drools/

[*] Found CVE-2021-44228 vulnerability in /Users/shreyash/drools/kie-wb-distributions/business-central-parent/add-ons-distribution/target/migration-tool/kie-wb-common-cli-migration-tool-7.35.0-SNAPSHOT/lib/log4j-core-2.11.1.jar, log4j 2.11.1

[*] Found CVE-2021-44228 vulnerability in /Users/shreyash/drools/kie-wb-distributions/business-central-parent/business-central-webapp/target/business-central-webapp/WEB-INF/lib/log4j-core-2.11.1.jar, log4j 2.11.1

[*] Found CVE-2021-44228 vulnerability in /Users/shreyash/drools/kie-wb-distributions/business-central-parent/business-central-webapp/target/business-central-webapp-thorntail.jar (m2repo/org/apache/logging/log4j/log4j-core/2.11.1/log4j-core-2.11.1.jar), log4j 2.11.1

[*] Found CVE-2021-44228 vulnerability in /Users/shreyash/drools/kie-wb-distributions/business-central-parent/business-central-webapp/target/business-central-webapp.war (WEB-INF/lib/log4j-core-2.11.1.jar), log4j 2.11.1

[*] Found CVE-2021-44228 vulnerability in /Users/shreyash/drools/kie-wb-distributions/business-central-parent/business-central-distribution-wars/business-central/target/business-central-7.35.0-SNAPSHOT-wildfly14/WEB-INF/lib/log4j-core-2.11.1.jar, log4j 2.11.1

[*] Found CVE-2021-44228 vulnerability in /Users/shreyash/drools/kie-wb-distributions/business-central-parent/business-central-distribution-wars/business-central/target/business-central-7.35.0-SNAPSHOT-wildfly14.war (WEB-INF/lib/log4j-core-2.11.1.jar), log4j 2.11.1

[*] Found CVE-2021-44228 vulnerability in /Users/shreyash/drools/kie-wb-distributions/business-central-parent/business-central-distribution-wars/business-central/target/business-central-7.35.0-SNAPSHOT-wildfly-deployable/wildfly-14.0.1.Final/standalone/deployments/business-central.war/WEB-INF/lib/log4j-core-2.11.1.jar, log4j 2.11.1

[*] Found CVE-2021-44228 vulnerability in /Users/shreyash/drools/kie-wb-distributions/business-central-parent/business-central-distribution-wars/business-monitoring/target/business-monitoring-7.35.0-SNAPSHOT-wildfly14/WEB-INF/lib/log4j-core-2.11.1.jar, log4j 2.11.1

[*] Found CVE-2021-44228 vulnerability in /Users/shreyash/drools/kie-wb-distributions/business-central-parent/business-central-distribution-wars/business-monitoring/target/business-monitoring-7.35.0-SNAPSHOT-wildfly-deployable/wildfly-14.0.1.Final/standalone/deployments/business-central.war/WEB-INF/lib/log4j-core-2.11.1.jar, log4j 2.11.1

[*] Found CVE-2021-44228 vulnerability in /Users/shreyash/drools/kie-wb-distributions/business-central-parent/business-central-distribution-wars/business-monitoring/target/business-monitoring-7.35.0-SNAPSHOT-wildfly14.war (WEB-INF/lib/log4j-core-2.11.1.jar), log4j 2.11.1

[*] Found CVE-2021-44228 vulnerability in /Users/shreyash/drools/kie-wb-distributions/business-central-parent/business-monitoring-webapp/target/business-monitoring-webapp.war (WEB-INF/lib/log4j-core-2.11.1.jar), log4j 2.11.1

[*] Found CVE-2021-44228 vulnerability in /Users/shreyash/drools/kie-wb-distributions/business-central-parent/business-monitoring-webapp/target/business-monitoring-webapp-thorntail.jar (m2repo/org/apache/logging/log4j/log4j-core/2.11.1/log4j-core-2.11.1.jar), log4j 2.11.1

[*] Found CVE-2021-44228 vulnerability in /Users/shreyash/drools/kie-wb-distributions/business-central-parent/business-monitoring-webapp/target/business-monitoring-webapp/WEB-INF/lib/log4j-core-2.11.1.jar, log4j 2.11.1

Scanned 15746 directories and 65246 files

Found 13 vulnerable files

Completed in 46.11 seconds

What do you suggest I should do here? I am using version 7.35 for both business-central as well as kie-server. 

Regards,

Shreyash

[Matteo Mortari]

Hello Shreyash,

My answer limited specifically to Drools, not something else.

In general, I suggest you periodically check with the KIE blog as if we will report any additional findings, for Drools or any other KIE related project such as Business Central that you are referring to, jBPM, etc, we're likely going to push them there: https://blog.kie.org

Hope this helps,

MM

To view this discussion on the web visit https://groups.google.com/d/msgid/drools-development/560ddbad-cb5b-484e-a8ed-0f3acacd1a40n%40googlegroups.com.

[Matteo Mortari]

Please reference https://blog.kie.org/2021/12/kie-log4j2-exploit-cve-2021-44228.html

We invite you to keep monitoring the blog post, in the case there might be in the future any further findings.

Hope this helps,

MM