Information about Apache Jena and Log4j2 vulnerability.

[Andy Seaborne <an...@apache.org>]

This message is about the effect of CVE-2021-44228 (log4j2) on Fuseki.

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Jena ships log4j2 in Fuseki and the command line tools.

The vulnerability of log4j2 does impact Fuseki 3.15 - 3.17, and 4.x.

Remote execution is only possible with older versions of Java.

Java versions Java 8u121 and Java 11.0.1, and later, set 
"com.sun.jndi.rmi.object.trustURLCodebase"
and
"com.sun.jndi.cosnaming.object.trustURLCodebase"

to "false" protecting against remote code execution by default.


The workaround of setting "-Dlog4j2.formatMsgNoLookups=true" works with 
all affected Fuseki versions:

JVM_ARGS="-Dlog4j2.formatMsgNoLookups=true" ./fuseki-server ....


Note that Apache Jena 4.2.0 addresses an unrelated Jena-specific CVE
https://nvd.nist.gov/vuln/detail/CVE-2021-39239

We will release Jena 4.3.1 with upgraded log4j2.

     Andy
     on behalf of the Jena PMC

Re: Information about Apache Jena and Log4j2 vulnerability.

[Andy Seaborne <an...@apache.org>]

On 14/12/2021 12:04, jaanam@kolumbus.fi wrote:
> Hello,
> 
> Sorry for asking stupid question, but I'm not sure it would be enough to 
> have just the below setting inside the docker container that runs 
> blankdots/jena-fuseki 3.17 image pulled from docker hub.

Disclaimer:

blankdots/jena-fuseki isn't connected with the Apache Jena project and I 
don't know that docker build.

> C:\Users\miettinj>docker exec -it 1a7e   /bin/bash
> root@1a7e400c71aa:/jena-fuseki# echo $JVM_ARGS
> -Xmx2g -Dlog4j2.formatMsgNoLookups=true
> root@1a7e400c71aa:/jena-fuseki#
> 
> Or should I also change the run command as explained below ?

If it is Fuseki 3.17 then it needs "-Dlog4j2.formatMsgNoLookups=true".

As long as JVM_ARGS propagates to the execution of Fuseki, then you 
should be good. (It is vulnerable to the unrelated Jena CVE fixed in 
4.2.0. [*])

Upgrading is better.

https://repo1.maven.org/maven2/org/apache/jena/jena-fuseki-docker/4.3.1/

     Andy

[*] https://lists.apache.org/thread/qpbfrdty7jt3yfm39hx4p9dp151sd6gm

> 
> Br, Jaana
> 
> 
> Andy Seaborne kirjoitti 10.12.2021 16:55:
>> This message is about the effect of CVE-2021-44228 (log4j2) on Fuseki.
>>
>> https://nvd.nist.gov/vuln/detail/CVE-2021-44228
>>
>> Jena ships log4j2 in Fuseki and the command line tools.
>>
>> The vulnerability of log4j2 does impact Fuseki 3.15 - 3.17, and 4.x.
>>
>> Remote execution is only possible with older versions of Java.
>>
>> Java versions Java 8u121 and Java 11.0.1, and later, set
>> "com.sun.jndi.rmi.object.trustURLCodebase"
>> and
>> "com.sun.jndi.cosnaming.object.trustURLCodebase"
>>
>> to "false" protecting against remote code execution by default.
>>
>>
>> The workaround of setting "-Dlog4j2.formatMsgNoLookups=true" works
>> with all affected Fuseki versions:
>>
>> JVM_ARGS="-Dlog4j2.formatMsgNoLookups=true" ./fuseki-server ....
>>
>>
>> Note that Apache Jena 4.2.0 addresses an unrelated Jena-specific CVE
>> https://nvd.nist.gov/vuln/detail/CVE-2021-39239
>>
>> We will release Jena 4.3.1 with upgraded log4j2.
>>
>>     Andy
>>     on behalf of the Jena PMC

Re: Information about Apache Jena and Log4j2 vulnerability.

[ja...@kolumbus.fi]

Hello,

Sorry for asking stupid question, but I'm not sure it would be enough to 
have just the below setting inside the docker container that runs 
blankdots/jena-fuseki 3.17 image pulled from docker hub.

C:\Users\miettinj>docker exec -it 1a7e   /bin/bash
root@1a7e400c71aa:/jena-fuseki# echo $JVM_ARGS
-Xmx2g -Dlog4j2.formatMsgNoLookups=true
root@1a7e400c71aa:/jena-fuseki#

Or should I also change the run command as explained below ?

Br, Jaana


Andy Seaborne kirjoitti 10.12.2021 16:55:
> This message is about the effect of CVE-2021-44228 (log4j2) on Fuseki.
> 
> https://nvd.nist.gov/vuln/detail/CVE-2021-44228
> 
> Jena ships log4j2 in Fuseki and the command line tools.
> 
> The vulnerability of log4j2 does impact Fuseki 3.15 - 3.17, and 4.x.
> 
> Remote execution is only possible with older versions of Java.
> 
> Java versions Java 8u121 and Java 11.0.1, and later, set
> "com.sun.jndi.rmi.object.trustURLCodebase"
> and
> "com.sun.jndi.cosnaming.object.trustURLCodebase"
> 
> to "false" protecting against remote code execution by default.
> 
> 
> The workaround of setting "-Dlog4j2.formatMsgNoLookups=true" works
> with all affected Fuseki versions:
> 
> JVM_ARGS="-Dlog4j2.formatMsgNoLookups=true" ./fuseki-server ....
> 
> 
> Note that Apache Jena 4.2.0 addresses an unrelated Jena-specific CVE
> https://nvd.nist.gov/vuln/detail/CVE-2021-39239
> 
> We will release Jena 4.3.1 with upgraded log4j2.
> 
>     Andy
>     on behalf of the Jena PMC

Re: Information about Apache Jena and Log4j2 vulnerability.

[Andy Seaborne <an...@apache.org>]

Please don't mix the focus of the thread.

This thread is important information about the Apache Jena project.

To be clear to the wider audience: RDF Delta is not under the governance 
of the Apache Jena PMC.

     Andy

Obviously, the published mitigations work with the combined RDF 
Delta/Fuseki artifact.

On 10/12/2021 19:05, Brandon Sara wrote:
> Andy, will you be releasing an RDF-Delta update that uses 4.3.1 soon as well?

Re: Information about Apache Jena and Log4j2 vulnerability.

[Brandon Sara <br...@collectivemedicaltech.com.INVALID>]

Andy, will you be releasing an RDF-Delta update that uses 4.3.1 soon as well?
No PHI in Email: PointClickCare and Collective Medical, A PointClickCare Company, policies prohibit sending protected health information (PHI) by email, which may violate regulatory requirements. If sending PHI is necessary, please contact the sender for secure delivery instructions.

Confidentiality Notice: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.