CVE-2021-44228 vulnerability: a patch to be applied

47 views
Skip to first unread message

Armando Stellato

unread,
Dec 14, 2021, 5:50:40 AM12/14/21
to semantict...@googlegroups.com, vocbench-user

Hi all!,

 

following a vulnerability issue which has been recently discovered for log4j, a logging framework used by Karaf (the host container for Semantic Turkey, and thus for VocBench and ShowVoc), we have posted a patched jar file that should solve the issue.

 

The patched  jar file can be downloaded from here:

 

https://bitbucket.org/art-uniroma2/semantic-turkey/downloads/pax-logging-log4j2-1.10.1.jar

 

The jar to be replaced is located in:

 

system\org\ops4j\pax\logging\pax-logging-log4j2\

 

within the semantic turkey deployment (directory: semanticturkey-10.1.1)

 

So:

 

  1. Close the semantic turkey process
  2. replace the jar you find there with the new one available at the above link.
  3. delete the directory semanticturkey-10.1.1/data (no worries, even though it’s called “data”, there is no sensible data that you are using, it’s just cache and logs)
  4. Restart semantic turkey

 

 

Kind Regards,

 

The VocBench team

 

 

P.S: for those curious about how the patch is different from the original one: in short, following what has been written here:

 

https://www.whitesourcesoftware.com/resources/blog/log4j-vulnerability-cve-2021-44228/

 

we have removed the JndiLookup class from the jar.

 

 

 

Quentin Reul

unread,
Jan 11, 2022, 10:53:22 AM1/11/22
to semanticturkey-user
Hi Armando,

Is there plans to implement a remediation for the different Log4J vulnerabilities? As you may be aware, there has been additional vulnerabilities that have been identified with Log4J [1] and the deletion of the JndiLookup class is only seen as a mitigation. It would be great if a new patch release with remediation for the different Log4J issues (i.e. using Log4J 2.17.x or above) could be made.

Kind regards,

Quentin Reul

Armando Stellato

unread,
Jan 11, 2022, 11:34:55 AM1/11/22
to semantict...@googlegroups.com

Dear Quentin,

 

apologies for replying so late, but I overlooked the email asking to approve your msg. It seems you are not registered on the ST forum and each msg you send requires approval.

 

The one with the removal of the class was a quick patch which seemed to cover most (at the time, all) of the cases.

 

The final solution was to have an update of the dependency; however, since this was not a direct dependency, rather one of the hosting environment Karaf, we had to wait for Karaf to update in turn. This has been done in late December (see versions 4.3.5 and 4.2.14 in [1]) by the Karaf team, so are considering moving at the soonest to an update of Karaf.

 

Kind regards,

 

Armando

 

[1] https://karaf.apache.org/download.html

 

 

 

--
You received this message because you are subscribed to the Google Groups "semanticturkey-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to semanticturkey-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/semanticturkey-user/51991e72-3a26-46df-a5bd-2464838a23fen%40googlegroups.com.

Reply all
Reply to author
Forward
0 new messages