Log4J Vulnerability

["Pastrana, Rodrigo (RIS-BCT)" <Ro...@lexisnexisrisk.com>]

Is Zeppelin affected by the recently discovered log4j vulnerability?

I was not able to find an official announcement. Thanks.

________________________________
The information contained in this e-mail message is intended only for the personal and confidential use of the recipient(s) named above. This message may be an attorney-client communication and/or work product and as such is privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message.

RE: Log4J Vulnerability

["Pastrana, Rodrigo (RIS-BCT)" <Ro...@lexisnexisrisk.com>]

Thanks Jack, I see that as well, but the concern is it seems that entry was added to the top-level pom 7 years ago, and I thought the recent patch was released in log4-core 2.15 and 2.16
https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core/2.16.0

Has Zeppelin avoided CVE-2021-44228 by virtue of targeting the older End of life log4j1?
If so, is there a plan to patch? Otherwise, is there an official announcement?


From: Jack Park <ja...@topicquests.org>
Sent: Thursday, December 16, 2021 11:40 AM
To: users@zeppelin.apache.org
Cc: dev <de...@zeppelin.apache.org>
Subject: Re: Log4J Vulnerability


*** External email: use caution ***


The pom.xml says log4j is version 1.2.17 which, if I am not mistaken, is the patched version.
That's what is in github now - it says nothing (to me) about older versions in use.


On Thu, Dec 16, 2021 at 7:28 AM Pastrana, Rodrigo (RIS-BCT) <Ro...@lexisnexisrisk.com>> wrote:
Is Zeppelin affected by the recently discovered log4j vulnerability?

I was not able to find an official announcement. Thanks.

________________________________
The information contained in this e-mail message is intended only for the personal and confidential use of the recipient(s) named above. This message may be an attorney-client communication and/or work product and as such is privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message.

________________________________
The information contained in this e-mail message is intended only for the personal and confidential use of the recipient(s) named above. This message may be an attorney-client communication and/or work product and as such is privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message.

RE: Log4J Vulnerability

["Pastrana, Rodrigo (RIS-BCT)" <Ro...@lexisnexisrisk.com>]

FYI found a couple of relevant Jiras:
https://issues.apache.org/jira/browse/ZEPPELIN-5613
https://issues.apache.org/jira/browse/ZEPPELIN-3527
https://issues.apache.org/jira/browse/ZEPPELIN-5452

Unfortunately none seem to be active.

From: Pastrana, Rodrigo (RIS-BCT) <Ro...@lexisnexisrisk.com>
Sent: Thursday, December 16, 2021 12:46 PM
To: users@zeppelin.apache.org
Cc: dev <de...@zeppelin.apache.org>
Subject: RE: Log4J Vulnerability

Thanks Markus, that confirms my understanding.
Also, I believe log4j1 is at end-of-life and susceptible to other security vulnerabilities which is why I’m looking forward to an official statement from the Zeppelin project.

From: Markus Härnvi <ma...@harnvi.net>>
Sent: Thursday, December 16, 2021 12:23 PM
To: users@zeppelin.apache.org<ma...@zeppelin.apache.org>
Cc: dev <de...@zeppelin.apache.org>>
Subject: Re: Log4J Vulnerability


*** External email: use caution ***



1.2.17 is from the old 1.0 branch and not affected by CVE-2021-44228. Versions 1.* never had the JNDI lookup code.

It is only log4j 2 that is vulnerable. Fixed in 2.15 and an enhanced fix in 2.16.

/Markus

On 16 Dec 2021 at 17:39:44, Jack Park <ja...@topicquests.org>> wrote:
The pom.xml says log4j is version 1.2.17 which, if I am not mistaken, is the patched version.
That's what is in github now - it says nothing (to me) about older versions in use.


On Thu, Dec 16, 2021 at 7:28 AM Pastrana, Rodrigo (RIS-BCT) <Ro...@lexisnexisrisk.com>> wrote:
Is Zeppelin affected by the recently discovered log4j vulnerability?

I was not able to find an official announcement. Thanks.

________________________________
The information contained in this e-mail message is intended only for the personal and confidential use of the recipient(s) named above. This message may be an attorney-client communication and/or work product and as such is privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message.

________________________________
The information contained in this e-mail message is intended only for the personal and confidential use of the recipient(s) named above. This message may be an attorney-client communication and/or work product and as such is privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message.

________________________________
The information contained in this e-mail message is intended only for the personal and confidential use of the recipient(s) named above. This message may be an attorney-client communication and/or work product and as such is privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message.

RE: Log4J Vulnerability

["Pastrana, Rodrigo (RIS-BCT)" <Ro...@lexisnexisrisk.com>]

Thanks Markus, that confirms my understanding.
Also, I believe log4j1 is at end-of-life and susceptible to other security vulnerabilities which is why I’m looking forward to an official statement from the Zeppelin project.

From: Markus Härnvi <ma...@harnvi.net>
Sent: Thursday, December 16, 2021 12:23 PM
To: users@zeppelin.apache.org
Cc: dev <de...@zeppelin.apache.org>
Subject: Re: Log4J Vulnerability


*** External email: use caution ***



1.2.17 is from the old 1.0 branch and not affected by CVE-2021-44228. Versions 1.* never had the JNDI lookup code.

It is only log4j 2 that is vulnerable. Fixed in 2.15 and an enhanced fix in 2.16.

/Markus

On 16 Dec 2021 at 17:39:44, Jack Park <ja...@topicquests.org>> wrote:
The pom.xml says log4j is version 1.2.17 which, if I am not mistaken, is the patched version.
That's what is in github now - it says nothing (to me) about older versions in use.


On Thu, Dec 16, 2021 at 7:28 AM Pastrana, Rodrigo (RIS-BCT) <Ro...@lexisnexisrisk.com>> wrote:
Is Zeppelin affected by the recently discovered log4j vulnerability?

I was not able to find an official announcement. Thanks.

________________________________
The information contained in this e-mail message is intended only for the personal and confidential use of the recipient(s) named above. This message may be an attorney-client communication and/or work product and as such is privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message.

________________________________
The information contained in this e-mail message is intended only for the personal and confidential use of the recipient(s) named above. This message may be an attorney-client communication and/or work product and as such is privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message.

Re: Log4J Vulnerability

[Markus Härnvi <ma...@harnvi.net>]

1.2.17 is from the old 1.0 branch and not affected by CVE-2021-44228.
Versions 1.* never had the JNDI lookup code.

It is only log4j 2 that is vulnerable. Fixed in 2.15 and an enhanced fix in
2.16.

/Markus

On 16 Dec 2021 at 17:39:44, Jack Park <ja...@topicquests.org> wrote:

> The pom.xml says log4j is version 1.2.17 which, if I am not mistaken, is
> the patched version.
> That's what is in github now - it says nothing (to me) about older
> versions in use.
>
>
> On Thu, Dec 16, 2021 at 7:28 AM Pastrana, Rodrigo (RIS-BCT) <
> Rodrigo.Pastrana@lexisnexisrisk.com> wrote:
>
>> Is Zeppelin affected by the recently discovered log4j vulnerability?
>>
>>
>>
>> I was not able to find an official announcement. Thanks.
>>
>> ------------------------------
>> The information contained in this e-mail message is intended only for the
>> personal and confidential use of the recipient(s) named above. This message
>> may be an attorney-client communication and/or work product and as such is
>> privileged and confidential. If the reader of this message is not the
>> intended recipient or an agent responsible for delivering it to the
>> intended recipient, you are hereby notified that you have received this
>> document in error and that any review, dissemination, distribution, or
>> copying of this message is strictly prohibited. If you have received this
>> communication in error, please notify us immediately by e-mail, and delete
>> the original message.
>>
>

Re: Log4J Vulnerability

[Jack Park <ja...@topicquests.org>]

The pom.xml says log4j is version 1.2.17 which, if I am not mistaken, is
the patched version.
That's what is in github now - it says nothing (to me) about older versions
in use.


On Thu, Dec 16, 2021 at 7:28 AM Pastrana, Rodrigo (RIS-BCT) <
Rodrigo.Pastrana@lexisnexisrisk.com> wrote:

> Is Zeppelin affected by the recently discovered log4j vulnerability?
>
>
>
> I was not able to find an official announcement. Thanks.
>
> ------------------------------
> The information contained in this e-mail message is intended only for the
> personal and confidential use of the recipient(s) named above. This message
> may be an attorney-client communication and/or work product and as such is
> privileged and confidential. If the reader of this message is not the
> intended recipient or an agent responsible for delivering it to the
> intended recipient, you are hereby notified that you have received this
> document in error and that any review, dissemination, distribution, or
> copying of this message is strictly prohibited. If you have received this
> communication in error, please notify us immediately by e-mail, and delete
> the original message.
>