You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@jena.apache.org by Erik Bijsterbosch <e....@gmail.com> on 2022/01/03 09:42:10 UTC
Request for adding log4j 2.17.1 to Fuseki Jena
Hi there,
I ran a docker scan on a Fuseki Jena 4.3.2 image which I built with the
latest version:
https://repo1.maven.org/maven2/org/apache/jena/jena-fuseki-server/4.3.2/
This image still contains log4j vulnerabilities fom version 2.16.0.
These are supposed to be fixed in version 2.17.1
I also had to upgrade versions in de Dockerfile for openjdk en alpine to
get rid off more vulnerabilities:
ARG OPENJDK_VERSION=17
ARG ALPINE_VERSION=3.15.0
1) Is there a way to set the log4j version yourself?
2) Can log4j version 2.17.1 be implemented in Fuseki Jena 4.3.3?
Regards,
Erik
scan.log
- - - - - -
Testing docker.io/library/fuskeki-local...
Tested 58 dependencies for known issues, found 3 issues.
Issues with no direct upgrade or patch:
✗ Denial of Service (DoS) [Medium Severity][
https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-2326698] in
com.fasterxml.jackson.core:jackson-databind@2.13.0
introduced by org.apache.jena:jena-fuseki-server@4.3.2 >
com.fasterxml.jackson.core:jackson-databind@2.13.0
This issue was fixed in versions: 2.13.1, 2.12.6
✗ Denial of Service (DoS) [High Severity][
https://snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2321524] in
org.apache.logging.log4j:log4j-core@2.16.0
introduced by org.apache.jena:jena-fuseki-server@4.3.2 >
org.apache.logging.log4j:log4j-core@2.16.0
This issue was fixed in versions: 2.3.1, 2.12.3, 2.17.0
✗ Arbitrary Code Execution [Medium Severity][
https://snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339] in
org.apache.logging.log4j:log4j-core@2.16.0
introduced by org.apache.jena:jena-fuseki-server@4.3.2 >
org.apache.logging.log4j:log4j-core@2.16.0
This issue was fixed in versions: 2.3.2, 2.12.4, 2.17.1
Re: Request for adding log4j 2.17.1 to Fuseki Jena
Posted by Andy Seaborne <an...@apache.org>.
On 03/01/2022 11:30, Lorenz Buehmann wrote:
> That has already been addressed and will be provided with Jena 4.4.0:
>
> https://issues.apache.org/jira/browse/JENA-2233?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aall-tabpanel
>
>
> I doubt there will be another minor version 4.3.3, Andy?
I don't see a reason at the moment. As is normal in these incidents, new
information and attack variations appear as after-shock so that might
chnage.
It takes a compromised machine or compromised setup of the server to
exploit the ones addressed in 2.17.0 and 2.17.1.
The project has only so much bandwidth.
Andy
> You could built the Docker image from sources, just checkout the latest
> code. Indeed, it's still a SNAPSHOT version, but you could also make
> your own version out of it if you have no time to wait for 4.4.0
>
> On 03.01.22 10:42, Erik Bijsterbosch wrote:
>> Hi there,
>>
>> I ran a docker scan on a Fuseki Jena 4.3.2 image which I built with the
>> latest version:
>> https://repo1.maven.org/maven2/org/apache/jena/jena-fuseki-server/4.3.2/
>>
>> This image still contains log4j vulnerabilities fom version 2.16.0.
>> These are supposed to be fixed in version 2.17.1
>> I also had to upgrade versions in de Dockerfile for openjdk en alpine to
>> get rid off more vulnerabilities:
>>
>> ARG OPENJDK_VERSION=17
>> ARG ALPINE_VERSION=3.15.0
>>
>> 1) Is there a way to set the log4j version yourself?
>>
>> 2) Can log4j version 2.17.1 be implemented in Fuseki Jena 4.3.3?
>>
>> Regards,
>> Erik
>>
>> scan.log
>> - - - - - -
>>
>> Testing docker.io/library/fuskeki-local...
>>
>> Tested 58 dependencies for known issues, found 3 issues.
>>
>>
>> Issues with no direct upgrade or patch:
>> ✗ Denial of Service (DoS) [Medium Severity][
>> https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-2326698] in
>> com.fasterxml.jackson.core:jackson-databind@2.13.0
>> introduced by org.apache.jena:jena-fuseki-server@4.3.2 >
>> com.fasterxml.jackson.core:jackson-databind@2.13.0
>> This issue was fixed in versions: 2.13.1, 2.12.6
>> ✗ Denial of Service (DoS) [High Severity][
>> https://snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2321524] in
>> org.apache.logging.log4j:log4j-core@2.16.0
>> introduced by org.apache.jena:jena-fuseki-server@4.3.2 >
>> org.apache.logging.log4j:log4j-core@2.16.0
>> This issue was fixed in versions: 2.3.1, 2.12.3, 2.17.0
>> ✗ Arbitrary Code Execution [Medium Severity][
>> https://snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339] in
>> org.apache.logging.log4j:log4j-core@2.16.0
>> introduced by org.apache.jena:jena-fuseki-server@4.3.2 >
>> org.apache.logging.log4j:log4j-core@2.16.0
>> This issue was fixed in versions: 2.3.2, 2.12.4, 2.17.1
>>
Re: Request for adding log4j 2.17.1 to Fuseki Jena
Posted by Lorenz Buehmann <bu...@informatik.uni-leipzig.de>.
That has already been addressed and will be provided with Jena 4.4.0:
https://issues.apache.org/jira/browse/JENA-2233?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aall-tabpanel
I doubt there will be another minor version 4.3.3, Andy?
You could built the Docker image from sources, just checkout the latest
code. Indeed, it's still a SNAPSHOT version, but you could also make
your own version out of it if you have no time to wait for 4.4.0
On 03.01.22 10:42, Erik Bijsterbosch wrote:
> Hi there,
>
> I ran a docker scan on a Fuseki Jena 4.3.2 image which I built with the
> latest version:
> https://repo1.maven.org/maven2/org/apache/jena/jena-fuseki-server/4.3.2/
>
> This image still contains log4j vulnerabilities fom version 2.16.0.
> These are supposed to be fixed in version 2.17.1
> I also had to upgrade versions in de Dockerfile for openjdk en alpine to
> get rid off more vulnerabilities:
>
> ARG OPENJDK_VERSION=17
> ARG ALPINE_VERSION=3.15.0
>
> 1) Is there a way to set the log4j version yourself?
>
> 2) Can log4j version 2.17.1 be implemented in Fuseki Jena 4.3.3?
>
> Regards,
> Erik
>
> scan.log
> - - - - - -
>
> Testing docker.io/library/fuskeki-local...
>
> Tested 58 dependencies for known issues, found 3 issues.
>
>
> Issues with no direct upgrade or patch:
> ✗ Denial of Service (DoS) [Medium Severity][
> https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-2326698] in
> com.fasterxml.jackson.core:jackson-databind@2.13.0
> introduced by org.apache.jena:jena-fuseki-server@4.3.2 >
> com.fasterxml.jackson.core:jackson-databind@2.13.0
> This issue was fixed in versions: 2.13.1, 2.12.6
> ✗ Denial of Service (DoS) [High Severity][
> https://snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2321524] in
> org.apache.logging.log4j:log4j-core@2.16.0
> introduced by org.apache.jena:jena-fuseki-server@4.3.2 >
> org.apache.logging.log4j:log4j-core@2.16.0
> This issue was fixed in versions: 2.3.1, 2.12.3, 2.17.0
> ✗ Arbitrary Code Execution [Medium Severity][
> https://snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339] in
> org.apache.logging.log4j:log4j-core@2.16.0
> introduced by org.apache.jena:jena-fuseki-server@4.3.2 >
> org.apache.logging.log4j:log4j-core@2.16.0
> This issue was fixed in versions: 2.3.2, 2.12.4, 2.17.1
>
Re: Request for adding log4j 2.17.1 to Fuseki Jena
Posted by Andy Seaborne <an...@apache.org>.
See
https://issues.apache.org/jira/browse/JENA-2233
https://issues.apache.org/jira/browse/JENA-2224
https://github.com/apache/jena/blob/main/pom.xml
for the releases currently in the main branch which will be in the next
version 4.4.0
log4j2: 2.17.1
jackson: 2.13.1
Note: Jena does not use Jackson itself - it gets via a dependency.
To make sure we ship a version without already-addressed
vulnerabilities, we exclude it via the dependency route and select the
version ourselves.
On 03/01/2022 09:42, Erik Bijsterbosch wrote:
> Hi there,
>
> I ran a docker scan on a Fuseki Jena 4.3.2 image which I built with the
> latest version:
> https://repo1.maven.org/maven2/org/apache/jena/jena-fuseki-server/4.3.2/
>
> This image still contains log4j vulnerabilities fom version 2.16.0.
> These are supposed to be fixed in version 2.17.1
> I also had to upgrade versions in de Dockerfile for openjdk en alpine to
> get rid off more vulnerabilities:
>
> ARG OPENJDK_VERSION=17
> ARG ALPINE_VERSION=3.15.0
With those settings, does the built docker Fuseki function correctly?
> 1) Is there a way to set the log4j version yourself?
Firstly - consider the attack vector.
Second - review the mitigations.
https://logging.apache.org/log4j/2.x/security.html
CVE-2021-44832:
"""
an attacker with permission to modify the logging configuration file can
construct a malicious configuration using a JDBC Appender with a data
source referencing a JNDI URI
"""
CVE-2021-45105:
"""
When the logging configuration uses a non-default Pattern Layout with a
Context Lookup (for example, $${ctx:loginId})
"""
The built-in Fuseki configuration and the one in jena-fuseki-docker do
not use a JDBC appender nor do they use the "${}" feature.
- can the attacker get access to the docker image build process?
- can the attacker get access to the running docker container?
----
There are various ways to modify the jar of dockerfile to use a
different version of log4j.
A - invoke with "java -cp", not "java -jar" and put your choice of log4j
on classpath before the jena-fuseki-server.jar.
The "main" class is org.apache.jena.fuseki.main.cmds.FusekiMainCmd
B - Modify itself jena-fuskei-server jar.
jar files are zip files from the maven-shade-plugin. You can replace the
files in the zip file.
C - Jena is open source. Get the 4.3.2 sources, change the log4j
version, the rebuild. Probably best to give Jena a special version number.
> 2) Can log4j version 2.17.1 be implemented in Fuseki Jena 4.3.3?
See above.
Andy
>
> Regards,
> Erik
>
> scan.log
> - - - - - -
>
> Testing docker.io/library/fuskeki-local...
>
> Tested 58 dependencies for known issues, found 3 issues.
>
>
> Issues with no direct upgrade or patch:
> ✗ Denial of Service (DoS) [Medium Severity][
> https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-2326698] in
> com.fasterxml.jackson.core:jackson-databind@2.13.0
> introduced by org.apache.jena:jena-fuseki-server@4.3.2 >
> com.fasterxml.jackson.core:jackson-databind@2.13.0
> This issue was fixed in versions: 2.13.1, 2.12.6
> ✗ Denial of Service (DoS) [High Severity][
> https://snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2321524] in
> org.apache.logging.log4j:log4j-core@2.16.0
> introduced by org.apache.jena:jena-fuseki-server@4.3.2 >
> org.apache.logging.log4j:log4j-core@2.16.0
> This issue was fixed in versions: 2.3.1, 2.12.3, 2.17.0
> ✗ Arbitrary Code Execution [Medium Severity][
> https://snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339] in
> org.apache.logging.log4j:log4j-core@2.16.0
> introduced by org.apache.jena:jena-fuseki-server@4.3.2 >
> org.apache.logging.log4j:log4j-core@2.16.0
> This issue was fixed in versions: 2.3.2, 2.12.4, 2.17.1