CVE-2021-44228 vulnerability

[Quentin Reul]

Hi all,

As you may be aware there is a severe vulnerability associated with Log4J [1], VocBench is using Log4J 2.8.2. Is there a plan for a patch fix to be released to address this issue?

We look forward to hearing from you.

Quentin Reul, PhD

Director, Product Software Engineering

LinkedIn Profile

[1] https://www.helpnetsecurity.com/2021/12/10/cve-2021-44228/ 

[Armando Stellato]

Dear Quentin,

 

thanks for raising the point, we were going to make a post about it.

 

The quick fix that doesn’t require a rebuilt version is reported here:

 

https://www.whitesourcesoftware.com/resources/blog/log4j-vulnerability-cve-2021-44228/

 

add Java parameter -Dlog4j2.formatMsgNoLookups=true in order to change system property log4j2.formatMsgNoLookups to true in versions 2.10 to 2.14.1, or remove JndiLookup class from the classpath.

 

Since our version (embedded within the jar of pax-logging, provided by the Karaf container) is 2.8.2, the first one should not work, but the second, being quite radical, does :-) just be sure to use that JVM only for VB or for other software that doesn’t require JndiLookup.

 

Going to the more general solution, as this is connected to a third-party dependency, and not a trivial one, we will consider the possibility to upgrade to a new Karaf (there are quite a few issues there, considering other dependencies, switch to past-8 java compliancy etc…)

 

Kind Regards,

 

Armando

--
You received this message because you are subscribed to the Google Groups "semanticturkey-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to semanticturkey-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/semanticturkey-user/a2f26ecc-b9a9-4c0f-aa61-30dc35e5243cn%40googlegroups.com.