Log4j ?

62 views
Skip to first unread message

Bohms, H.M. (Michel)

unread,
Dec 17, 2021, 5:02:20 AM12/17/21
to topbrai...@googlegroups.com

Dear TQ

 

We are asked by our management to check own-installed software on our systems for

Apache Log4j issue vulnerability.

 

Can you say something about that for TBC?

(knowing that Jena is on the list (log4shell/software at main · NCSC-NL/log4shell (github.com)) for versions < 4.3.1)

 

Thx! Michel

 

 

Dr. ir. H.M. (Michel) Bohms
Scientist Specialist
Structural Reliability

T +31 (0)88 866 31 07
M +31 (0)63 038 12 20
michel...@tno.nl

Location

 

This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. TNO accepts no liability for the content of this e-mail, for the manner in which you use it and for damage of any kind resulting from the risks inherent to the electronic transmission of messages.

 

Richard Cyganiak

unread,
Dec 17, 2021, 5:35:00 AM12/17/21
to topbraid-users list
To be vulnerable to Log4shell exploits, a system must accept remote connections, accept some sort of input provided by the remote client, and log that input through Log4j.

TBC refuses remote requests without logging any client-provided input through Log4j, and is therefore not vulnerable, according to our analysis.

Richard


On 17 Dec 2021, at 10:02, 'Bohms, H.M. (Michel)' via TopBraid Suite Users <topbrai...@googlegroups.com> wrote:

Dear TQ
 
We are asked by our management to check own-installed software on our systems for
Apache Log4j issue vulnerability.
 
Can you say something about that for TBC?
(knowing that Jena is on the list (log4shell/software at main · NCSC-NL/log4shell (github.com)) for versions < 4.3.1)
 
Thx! Michel
 
 
Dr. ir. H.M. (Michel) Bohms
Scientist Specialist
Structural Reliability
T +31 (0)88 866 31 07
M +31 (0)63 038 12 20
michel...@tno.nl
This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. TNO accepts no liability for the content of this e-mail, for the manner in which you use it and for damage of any kind resulting from the risks inherent to the electronic transmission of messages. 
 

-- 
You received this message because you are subscribed to the Google Groups "TopBraid Suite Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to topbraid-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/topbraid-users/89a0b059b4fa4cda92952811c8e0465f%40tno.nl.

an...@seaborne.org

unread,
Dec 17, 2021, 9:38:37 AM12/17/21
to TopBraid Suite Users
Apache Jena Fuseki is affected (and there's a fix release - 4.3.1).

Apache Jena libraries use a logging facade and the libraries don't ship or depend on log4j2 - the user/application adds the logging of choice.

Beware that parse errors from data read in may cause a logging message.

This includes Jena's command line parsers which do use log4j2.

    Andy

ajvz

unread,
Dec 17, 2021, 9:49:36 AM12/17/21
to TopBraid Suite Users
Hmmm, does that hold even if TBC is connected to a Git repository? 
Reply all
Reply to author
Forward
0 new messages