You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-user@axis.apache.org by "Malaluan, Jay Joel" <Ja...@ethoca.com> on 2022/01/26 21:01:42 UTC
[Axis2] log4j inquiry
Hi,
During December 2021. There was a log4j wide vulnerability. For reference, https://logging.apache.org/log4j/2.x/security.html.
At that time our company did some patching to address our vulnerable components.
We use a very old version of the axis2.war which is v1.6.x. Based from our internal scan. It was found that it has axis2/WEB-INF/lib/log4j-1.2.15.jar.
Our security team's recommended fix should be >= log4j 2.16.0
Looking at the latest available release in https://axis.apache.org/axis2/java/core/download.html.
It's axis2-1.8.0.war. And when I peeked inside. The log4j libraries versions are still 2.14.1.
WEB-INF/lib/log4j-api-2.14.1.jar
WEB-INF/lib/log4j-core-2.14.1.jar
WEB-INF/lib/log4j-jcl-2.14.1.jar
Basing from the site, https://logging.apache.org/log4j/2.x/security.html. It should be 2.17.0 (for Java 8 and later).
Is there a newer axis2.war release that have the latest 2.17.x log4j library version?
Thanks.
Jay Malaluan
Software Development Engineer II
Mastercard
[signature_1486368188]<http://www.mastercard.com/>
CONFIDENTIALITY NOTICE This e-mail message and any attachments are only for the use of the intended recipient and may contain information that is privileged, confidential or exempt from disclosure under applicable law. If you are not the intended recipient, any disclosure, distribution or other use of this e-mail message or attachments is prohibited. If you have received this e-mail message in error, please delete and notify the sender immediately. Thank you.
Re: Re: [Axis2] log4j inquiry
Posted by robertlazarski <ro...@gmail.com>.
Yes, upgrading to 2.17.1 will work on Axis 1.8.0.
We are all volunteers so we have no ETA besides it will go out soon.
On Wed, Jan 26, 2022 at 11:21 AM Malaluan, Jay Joel <
JayJoel.Malaluan@ethoca.com> wrote:
> Hi,
>
>
>
> Appreciate the feedback!
>
>
>
> At this point. Should we just use the latest axis2-1.8.0.war and patch the
> lower log4j 2.14.1 version to the newer 2.17.0? Has that been done and
> proven to work on your end?
>
>
>
> When can we expect the 1.8.1 to be available?
>
>
>
> Thanks.
>
>
>
>
>
> *From: *robertlazarski <ro...@gmail.com>
> *Reply-To: *"java-user@axis.apache.org" <ja...@axis.apache.org>
> *Date: *Wednesday, January 26, 2022 at 4:12 PM
> *To: *"java-user@axis.apache.org" <ja...@axis.apache.org>
> *Subject: *{EXTERNAL} Re: [Axis2] log4j inquiry
>
>
>
> *CAUTION**:* The message originated from an EXTERNAL SOURCE. Please use
> caution when opening attachments, clicking links or responding to this
> email.
>
>
>
> The latest log4j2 is 2.17.1. That's the version used in our pom.xml in
> git.
>
>
>
> 1.6.x actually ships with log4j 1.x.
>
>
>
> The Axis2 release of 1.8.0 shipped log4j2 jars, which unfortunately needs
> to be patched manually via the latest jars.
>
>
>
> We'll be releasing 1.8.1 soon that will fix that.
>
>
>
> On Wed, Jan 26, 2022 at 11:02 AM Malaluan, Jay Joel <
> JayJoel.Malaluan@ethoca.com> wrote:
>
> Hi,
>
>
>
> During December 2021. There was a log4j wide vulnerability. For reference,
> https://logging.apache.org/log4j/2.x/security.html
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__logging.apache.org_log4j_2.x_security.html&d=DwMFaQ&c=uc5ZRXl8dGLM1RMQwf7xTCjRqXF0jmCF6SP0bDlmMmY&r=hc9bwdFw8sJsbdEABM0jCpfJB8-LDvJKi1_pcJ8IQFM&m=OQKLdvq-NJtNS2JLAnlAITqgpCt82FE9MTw7MAARzLphcfM6pz0ZVYzt7dvOK4T7&s=fFJ4YhLkSmm921HT2myoEbQFHLEg6hmAiZnmqQLdJkM&e=>
> .
>
>
>
> At that time our company did some patching to address our vulnerable
> components.
>
> We use a very old version of the axis2.war which is v1.6.x. Based from our
> internal scan. It was found that it has axis2/WEB-INF/lib/log4j-1.2.15.jar.
>
> Our security team's recommended fix should be >= log4j 2.16.0
>
>
>
> Looking at the latest available release in
> https://axis.apache.org/axis2/java/core/download.html
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__axis.apache.org_axis2_java_core_download.html&d=DwMFaQ&c=uc5ZRXl8dGLM1RMQwf7xTCjRqXF0jmCF6SP0bDlmMmY&r=hc9bwdFw8sJsbdEABM0jCpfJB8-LDvJKi1_pcJ8IQFM&m=OQKLdvq-NJtNS2JLAnlAITqgpCt82FE9MTw7MAARzLphcfM6pz0ZVYzt7dvOK4T7&s=qcira8lBu5-hac7RtG7Hq-03jnlc6e0wutc0paYij6s&e=>
> .
>
> It's axis2-1.8.0.war. And when I peeked inside. The log4j libraries
> versions are still 2.14.1.
>
>
>
> WEB-INF/lib/log4j-api-2.14.1.jar
>
> WEB-INF/lib/log4j-core-2.14.1.jar
>
> WEB-INF/lib/log4j-jcl-2.14.1.jar
>
>
>
> Basing from the site, https://logging.apache.org/log4j/2.x/security.html
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__logging.apache.org_log4j_2.x_security.html&d=DwMFaQ&c=uc5ZRXl8dGLM1RMQwf7xTCjRqXF0jmCF6SP0bDlmMmY&r=hc9bwdFw8sJsbdEABM0jCpfJB8-LDvJKi1_pcJ8IQFM&m=OQKLdvq-NJtNS2JLAnlAITqgpCt82FE9MTw7MAARzLphcfM6pz0ZVYzt7dvOK4T7&s=fFJ4YhLkSmm921HT2myoEbQFHLEg6hmAiZnmqQLdJkM&e=>.
> It should be 2.17.0 (for Java 8 and later).
>
>
>
> Is there a newer axis2.war release that have the latest 2.17.x log4j
> library version?
>
>
>
> Thanks.
>
>
>
> *Jay Malaluan*
> Software Development Engineer II
>
> Mastercard
> [image: signature_1486368188] <http://www.mastercard.com/>
>
>
>
>
>
> CONFIDENTIALITY NOTICE This e-mail message and any attachments are only
> for the use of the intended recipient and may contain information that is
> privileged, confidential or exempt from disclosure under applicable law. If
> you are not the intended recipient, any disclosure, distribution or other
> use of this e-mail message or attachments is prohibited. If you have
> received this e-mail message in error, please delete and notify the sender
> immediately. Thank you.
>
>
Re: Re: [Axis2] log4j inquiry
Posted by "Malaluan, Jay Joel" <Ja...@ethoca.com>.
Hi,
Appreciate the feedback!
At this point. Should we just use the latest axis2-1.8.0.war and patch the lower log4j 2.14.1 version to the newer 2.17.0? Has that been done and proven to work on your end?
When can we expect the 1.8.1 to be available?
Thanks.
From: robertlazarski <ro...@gmail.com>
Reply-To: "java-user@axis.apache.org" <ja...@axis.apache.org>
Date: Wednesday, January 26, 2022 at 4:12 PM
To: "java-user@axis.apache.org" <ja...@axis.apache.org>
Subject: {EXTERNAL} Re: [Axis2] log4j inquiry
CAUTION: The message originated from an EXTERNAL SOURCE. Please use caution when opening attachments, clicking links or responding to this email.
The latest log4j2 is 2.17.1. That's the version used in our pom.xml in git.
1.6.x actually ships with log4j 1.x.
The Axis2 release of 1.8.0 shipped log4j2 jars, which unfortunately needs to be patched manually via the latest jars.
We'll be releasing 1.8.1 soon that will fix that.
On Wed, Jan 26, 2022 at 11:02 AM Malaluan, Jay Joel <Ja...@ethoca.com>> wrote:
Hi,
During December 2021. There was a log4j wide vulnerability. For reference, https://logging.apache.org/log4j/2.x/security.html<https://urldefense.proofpoint.com/v2/url?u=https-3A__logging.apache.org_log4j_2.x_security.html&d=DwMFaQ&c=uc5ZRXl8dGLM1RMQwf7xTCjRqXF0jmCF6SP0bDlmMmY&r=hc9bwdFw8sJsbdEABM0jCpfJB8-LDvJKi1_pcJ8IQFM&m=OQKLdvq-NJtNS2JLAnlAITqgpCt82FE9MTw7MAARzLphcfM6pz0ZVYzt7dvOK4T7&s=fFJ4YhLkSmm921HT2myoEbQFHLEg6hmAiZnmqQLdJkM&e=>.
At that time our company did some patching to address our vulnerable components.
We use a very old version of the axis2.war which is v1.6.x. Based from our internal scan. It was found that it has axis2/WEB-INF/lib/log4j-1.2.15.jar.
Our security team's recommended fix should be >= log4j 2.16.0
Looking at the latest available release in https://axis.apache.org/axis2/java/core/download.html<https://urldefense.proofpoint.com/v2/url?u=https-3A__axis.apache.org_axis2_java_core_download.html&d=DwMFaQ&c=uc5ZRXl8dGLM1RMQwf7xTCjRqXF0jmCF6SP0bDlmMmY&r=hc9bwdFw8sJsbdEABM0jCpfJB8-LDvJKi1_pcJ8IQFM&m=OQKLdvq-NJtNS2JLAnlAITqgpCt82FE9MTw7MAARzLphcfM6pz0ZVYzt7dvOK4T7&s=qcira8lBu5-hac7RtG7Hq-03jnlc6e0wutc0paYij6s&e=>.
It's axis2-1.8.0.war. And when I peeked inside. The log4j libraries versions are still 2.14.1.
WEB-INF/lib/log4j-api-2.14.1.jar
WEB-INF/lib/log4j-core-2.14.1.jar
WEB-INF/lib/log4j-jcl-2.14.1.jar
Basing from the site, https://logging.apache.org/log4j/2.x/security.html<https://urldefense.proofpoint.com/v2/url?u=https-3A__logging.apache.org_log4j_2.x_security.html&d=DwMFaQ&c=uc5ZRXl8dGLM1RMQwf7xTCjRqXF0jmCF6SP0bDlmMmY&r=hc9bwdFw8sJsbdEABM0jCpfJB8-LDvJKi1_pcJ8IQFM&m=OQKLdvq-NJtNS2JLAnlAITqgpCt82FE9MTw7MAARzLphcfM6pz0ZVYzt7dvOK4T7&s=fFJ4YhLkSmm921HT2myoEbQFHLEg6hmAiZnmqQLdJkM&e=>. It should be 2.17.0 (for Java 8 and later).
Is there a newer axis2.war release that have the latest 2.17.x log4j library version?
Thanks.
Jay Malaluan
Software Development Engineer II
Mastercard
[signature_1486368188]<http://www.mastercard.com/>
CONFIDENTIALITY NOTICE This e-mail message and any attachments are only for the use of the intended recipient and may contain information that is privileged, confidential or exempt from disclosure under applicable law. If you are not the intended recipient, any disclosure, distribution or other use of this e-mail message or attachments is prohibited. If you have received this e-mail message in error, please delete and notify the sender immediately. Thank you.
Re: [Axis2] log4j inquiry
Posted by robertlazarski <ro...@gmail.com>.
The latest log4j2 is 2.17.1. That's the version used in our pom.xml in git.
1.6.x actually ships with log4j 1.x.
The Axis2 release of 1.8.0 shipped log4j2 jars, which unfortunately needs
to be patched manually via the latest jars.
We'll be releasing 1.8.1 soon that will fix that.
On Wed, Jan 26, 2022 at 11:02 AM Malaluan, Jay Joel <
JayJoel.Malaluan@ethoca.com> wrote:
> Hi,
>
>
>
> During December 2021. There was a log4j wide vulnerability. For reference,
> https://logging.apache.org/log4j/2.x/security.html.
>
>
>
> At that time our company did some patching to address our vulnerable
> components.
>
> We use a very old version of the axis2.war which is v1.6.x. Based from our
> internal scan. It was found that it has axis2/WEB-INF/lib/log4j-1.2.15.jar.
>
> Our security team's recommended fix should be >= log4j 2.16.0
>
>
>
> Looking at the latest available release in
> https://axis.apache.org/axis2/java/core/download.html.
>
> It's axis2-1.8.0.war. And when I peeked inside. The log4j libraries
> versions are still 2.14.1.
>
>
>
> WEB-INF/lib/log4j-api-2.14.1.jar
>
> WEB-INF/lib/log4j-core-2.14.1.jar
>
> WEB-INF/lib/log4j-jcl-2.14.1.jar
>
>
>
> Basing from the site, https://logging.apache.org/log4j/2.x/security.html.
> It should be 2.17.0 (for Java 8 and later).
>
>
>
> Is there a newer axis2.war release that have the latest 2.17.x log4j
> library version?
>
>
>
> Thanks.
>
>
>
> *Jay Malaluan*
> Software Development Engineer II
>
> Mastercard
> [image: signature_1486368188] <http://www.mastercard.com/>
>
>
>
>
> CONFIDENTIALITY NOTICE This e-mail message and any attachments are only
> for the use of the intended recipient and may contain information that is
> privileged, confidential or exempt from disclosure under applicable law. If
> you are not the intended recipient, any disclosure, distribution or other
> use of this e-mail message or attachments is prohibited. If you have
> received this e-mail message in error, please delete and notify the sender
> immediately. Thank you.
>