Updating log4j vulnerability

Andrew Osiris

unread,

Dec 15, 2021, 1:37:11 PM12/15/21

to OpenRefine

Hello, my organization is taking my computer off the domain because of a log4j vulnerability that is tied to this application. what can I do to update log4j to continue to use this product? Thank you for your time.

Antonin Delpeuch (lists)

unread,

Dec 15, 2021, 2:02:53 PM12/15/21

to openr...@googlegroups.com

Hello Andrew

OpenRefine 3.5.0 ships with Log4j 1.2.16, which is not affected by this vulnerability as far as I know. If your organization has more details to share about why they consider OpenRefine vulnerable to this, I would be interested to know more about that.

Best wishes,

Antonin

On 15/12/2021 20:37, 'Andrew Osiris' via OpenRefine wrote:

Hello, my organization is taking my computer off the domain because of a log4j vulnerability that is tied to this application. what can I do to update log4j to continue to use this product? Thank you for your time. --
You received this message because you are subscribed to the Google Groups "OpenRefine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openrefine+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/openrefine/863b1f4c-6121-4ca9-8410-56bca8571162n%40googlegroups.com.

Andrew Osiris

unread,

Dec 15, 2021, 2:08:49 PM12/15/21

to OpenRefine

From our organization:

"A critical vulnerability affecting Log4j 2, versions through 2.14.1, has been identified (CVE-2021-44228) and is being actively exploited in the wild. The vulnerability allows for unauthenticated remote code execution."

Andrew Osiris

unread,

Dec 15, 2021, 2:20:49 PM12/15/21

to OpenRefine

They are asking: If you control the installation of Log4j, patch to version 2.15.0 as soon as possible.

Is this compatible?

On Wednesday, December 15, 2021 at 1:02:53 PM UTC-6 Antonin Delpeuch (lists) wrote:

Andrew Osiris

unread,

Dec 15, 2021, 3:58:17 PM12/15/21

to OpenRefine

So after looking into this it appears that the 1.x version for log4j went end of life in 2015. There is a separate vulnerability here: https://nvd.nist.gov/vuln/detail/CVE-2019-17571 which will never be patched because its EOL. Basically it looks like if 2.15.0 is not compatible, which I am guessing its not, I wont be able to use this product anymore which is a shame because I really like it.

Antonin Delpeuch (lists)

unread,

Dec 15, 2021, 4:07:39 PM12/15/21

to openr...@googlegroups.com

Hi Andrew,

We are likely to stay with Log4j 1.x but upgrading to the latest version in 1.x sounds doable, perhaps in the coming days.

Best wishes,

Antonin

To view this discussion on the web visit https://groups.google.com/d/msgid/openrefine/c7743624-576c-4caa-8976-8edf40fa58c5n%40googlegroups.com.

Antonin Delpeuch (lists)

unread,

Dec 15, 2021, 4:19:09 PM12/15/21

to openr...@googlegroups.com

Hmm, actually, Apache Spark uses the same log4j version and they have no plans to upgrade soon, so I will wait and see.

Antonin

To view this discussion on the web visit https://groups.google.com/d/msgid/openrefine/a9180adf-501f-7060-460b-e2e8cce36b01%40antonin.delpeuch.eu.

melpo...@freenet.de

unread,

Dec 16, 2021, 11:10:51 AM12/16/21

to OpenRefine

To days ago my goverment extend the vulnerability to version 1.x because the attacks also extended to this. So I can't use OpenRefine. It's a shame because i have a lot of cleaning work next year and now i have to thing about to do it with Acces or Excel and lot more time.

Antonin Delpeuch (lists)

unread,

Dec 16, 2021, 11:23:58 AM12/16/21

to openr...@googlegroups.com

Thanks for letting us know. I will have another look and see what I can do.

Antonin

To view this discussion on the web visit https://groups.google.com/d/msgid/openrefine/41204143-5ff6-49ec-a9d6-dedbeadc31d1n%40googlegroups.com.

Antonin Delpeuch (lists)

unread,

Dec 17, 2021, 9:00:14 AM12/17/21

to openr...@googlegroups.com

A new version 3.5.1 with updated log4j should be out in a few days.

Antonin

To view this discussion on the web visit https://groups.google.com/d/msgid/openrefine/88adfe8c-2c4b-74ce-787e-80f92c51b439%40antonin.delpeuch.eu.

melpo...@freenet.de

unread,

Dec 17, 2021, 9:19:47 AM12/17/21

to OpenRefine

That's great news. Thank you.

Vladimir Stavrov

unread,

Dec 20, 2021, 9:14:27 AM12/20/21

to OpenRefine

Hi,

could you clarify this case a little bit?

When OpenRefine is started locally, it cannot be affected by mentioned vulnerability, if network setup does not forward requests to OpenRefine port (default 3333)

from any external URL/IP assigned to local computer and visible from Internet.

четверг, 16 декабря 2021 г. в 19:10:51 UTC+3, melpo...@freenet.de:

melpo...@freenet.de

unread,

Jan 4, 2022, 9:24:59 AM1/4/22

to OpenRefine

Hi,

Thanks for the info but the IT department check if the library exist anywhere and not how it works/is used in a specific software. But maybe it helps as only Version 2.17 is declared as save for now.

Antonin I appreciate your fast reaction but i don't expact that you can react so fast for all updates of the library and try to convince with the hint for now.

Antonin Delpeuch (lists)

unread,

Jan 5, 2022, 5:45:04 AM1/5/22

to openr...@googlegroups.com

Hi!

Yes, the log4j updates seem to have stabilized for now, so we could
update to 2.17.0. I will propose to cut out the corresponding release.

Cheers,
Antonin

>>>> <https://groups.google.com/d/msgid/openrefine/863b1f4c-6121-4ca9-8410-56bca8571162n%40googlegroups.com?utm_medium=email&utm_source=footer>.

>>>
>>> --
>>> You received this message because you are subscribed to
>>> the Google Groups "OpenRefine" group.
>>> To unsubscribe from this group and stop receiving emails
>>> from it, send an email to openrefine+...@googlegroups.com.
>>> To view this discussion on the web visit

>>> https://groups.google.com/d/msgid/openrefine/c7743624-576c-4caa-8976-8edf40fa58c5n%40googlegroups.com
>>> <https://groups.google.com/d/msgid/openrefine/c7743624-576c-4caa-8976-8edf40fa58c5n%40googlegroups.com?utm_medium=email&utm_source=footer>.

>> --
>> You received this message because you are subscribed to
>> the Google Groups "OpenRefine" group.
>> To unsubscribe from this group and stop receiving emails
>> from it, send an email to openrefine+...@googlegroups.com.
>> To view this discussion on the web visit

>> https://groups.google.com/d/msgid/openrefine/a9180adf-501f-7060-460b-e2e8cce36b01%40antonin.delpeuch.eu
>> <https://groups.google.com/d/msgid/openrefine/a9180adf-501f-7060-460b-e2e8cce36b01%40antonin.delpeuch.eu?utm_medium=email&utm_source=footer>.

>
> --
> You received this message because you are subscribed to the Google
> Groups "OpenRefine" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to openrefine+...@googlegroups.com

> <mailto:openrefine+...@googlegroups.com>.

> To view this discussion on the web visit

> https://groups.google.com/d/msgid/openrefine/1f3cecf9-25cf-458f-ac84-11d61699fe10n%40googlegroups.com
> <https://groups.google.com/d/msgid/openrefine/1f3cecf9-25cf-458f-ac84-11d61699fe10n%40googlegroups.com?utm_medium=email&utm_source=footer>.

Thad Guidry

unread,

Jan 5, 2022, 11:29:12 AM1/5/22

to openr...@googlegroups.com

Agree with that proposal.

Thad

https://www.linkedin.com/in/thadguidry/

https://calendly.com/thadguidry/

Reply all

Reply to author

Forward