You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by Oliver Lietz <ap...@oliverlietz.de> on 2021/12/13 09:19:08 UTC
Log4Shell
Hi *,
How about putting a statement on our Sling homepage regarding Log4Shell?
Commons Log is using Logback so we should be fine. Carsten, Chetan?
Regards,
O.
Re: Log4Shell
Posted by Oliver Lietz <ap...@oliverlietz.de>.
On Monday, 13 December 2021 17:13:38 CET Carsten Ziegeler wrote:
> I did a check as well and couldn't find anything.
>
> I guess the only place where log4j2 might be included is by pax exam
> tests - not sure about that though.
Pax Exam is using log4j 1.x. I'm already looking into it to double check and
update.
At least we should have a statement on our homepage for Sling Starter which is
using Sling Commons Log.
O.
> Regards
> Carsten
>
> Am 13.12.2021 um 16:49 schrieb Robert Munteanu:
> > On Mon, 2021-12-13 at 16:40 +0100, Bertrand Delacretaz wrote:
> >> If we make a statement I think it should include the list of modules
> >> we have checked as "not embedding log4j2" and describe the method
> >> used
> >> for that check.
> >
> > I have used `repo grep log4j` in the Sling repo checkout, manually
> > validated that we don't pull in log4j2.
> >
> > If we exclude test code, we only get 54 lines, it should be quite easy
> > for someone else to cross-check my findings.
> >
> > Thanks,
> > Robert
Re: Log4Shell
Posted by Carsten Ziegeler <cz...@apache.org>.
I did a check as well and couldn't find anything.
I guess the only place where log4j2 might be included is by pax exam
tests - not sure about that though.
Regards
Carsten
Am 13.12.2021 um 16:49 schrieb Robert Munteanu:
> On Mon, 2021-12-13 at 16:40 +0100, Bertrand Delacretaz wrote:
>> If we make a statement I think it should include the list of modules
>> we have checked as "not embedding log4j2" and describe the method
>> used
>> for that check.
>
> I have used `repo grep log4j` in the Sling repo checkout, manually
> validated that we don't pull in log4j2.
>
> If we exclude test code, we only get 54 lines, it should be quite easy
> for someone else to cross-check my findings.
>
> Thanks,
> Robert
--
Carsten Ziegeler
Adobe
cziegeler@apache.org
Re: Log4Shell
Posted by Robert Munteanu <ro...@apache.org>.
On Mon, 2021-12-13 at 16:40 +0100, Bertrand Delacretaz wrote:
> If we make a statement I think it should include the list of modules
> we have checked as "not embedding log4j2" and describe the method
> used
> for that check.
I have used `repo grep log4j` in the Sling repo checkout, manually
validated that we don't pull in log4j2.
If we exclude test code, we only get 54 lines, it should be quite easy
for someone else to cross-check my findings.
Thanks,
Robert
Re: Log4Shell
Posted by Bertrand Delacretaz <bd...@apache.org>.
Hi,
On Mon, Dec 13, 2021 at 11:36 AM Carsten Ziegeler <cz...@apache.org> wrote:
> ...we could state that Sling based applications are not affected if they
> use the standard logging setup with commons log and log4j-over-slf4j and
> if there no application bundles embedding a vulnerable log4j version...
Isn't there a (vague) risk that one of our transitive dependencies
embeds log4j2 ?
If we make a statement I think it should include the list of modules
we have checked as "not embedding log4j2" and describe the method used
for that check.
I suppose running "mvn dependency:tree | grep <some pattern>" is a
reasonable way of checking, so maybe this can be the script used to
check, from the top of a complete checkout of the Sling modules:
$ export PATTERN=<grep pattern that detects unwanted dependencies>
$ find . -name pom.xml | while read pom; do pushd $(dirname $pom);
mvn dependency:tree | grep $PATTERN ; popd ; done
-Bertrand
Re: Log4Shell
Posted by Carsten Ziegeler <cz...@apache.org>.
Hi,
we could state that Sling based applications are not affected if they
use the standard logging setup with commons log and log4j-over-slf4j and
if there no application bundles embedding a vulnerable log4j version.
Regards
Carsten
Am 13.12.2021 um 10:19 schrieb Oliver Lietz:
> Hi *,
>
> How about putting a statement on our Sling homepage regarding Log4Shell?
> Commons Log is using Logback so we should be fine. Carsten, Chetan?
>
> Regards,
> O.
>
>
>
>
--
Carsten Ziegeler
Adobe
cziegeler@apache.org