Apache Log4j problem

[timti...@gmail.com]

Hi,

  We are using XNAT 1.7.5.6. We received from our security team for the vulnerabilities for Apache Log4j. They recommended us to upgrade to Log4j 2 to fix the security issue.

  Please help? Thanks.

Tim

[Rick Herrick]

XNAT is not vulnerable to the Log4shell exploit. This was discussed in this group previously.

I'm not sure what your security team is looking at, but the vulnerability is actually in Log4j2, while XNAT uses Log4j 1.2.x through the Slf4j API. Upgrading Log4j to Log4j2 is not too difficult, but completely unnecessary at this point.

[timti...@gmail.com]

Hi,

  As our security team's reply,

    Log4j 1.x has reached End of Life in 2015 and is no longer supported. Vulnerabilities reported after August 2015 against Log4j 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2 to obtain security fixes.

  Can we remove  WEB-INF/lib/log4j-1.2.17.jar ? or we need to keep it? 

  Please advise. Thanks.

Tim 

[Rick Herrick]

You're on an outdated version of XNAT, so if you have security concerns about older versions of dependencies I'd suggest upgrading to the latest version of XNAT.

For log4j specifically, XNAT 1.7.6 was released on 2020-01-21 and no longer includes log4j-1.2.x.jar, which was replaced by logback.