You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@camel.apache.org by David Ecker <da...@ecker-software.de> on 2021/12/13 09:45:26 UTC
Apache Log4j Security Vulnerabilities
Hi,
since it looks like camel/camel-k is directly affected by the
vulnerability; Is a patch or a workaround for camel-k already available?
Thanks,
David
Re: Apache Log4j Security Vulnerabilities
Posted by Claus Ibsen <cl...@gmail.com>.
On Mon, Dec 13, 2021 at 11:43 AM David Ecker <da...@ecker-software.de> wrote:
>
> Thanks,
>
> one system less to fix.
>
We have not identified log4j-core as used at runtime as part of Camel
K. We may have missed something.
log4j is used during testing camel and camel-k-runtime itself
for camel-k-runtime we only used it during testing, but have
completely removed in for next release
https://github.com/apache/camel-k-runtime/commit/df1608055e0f94f923a24cde27b29ad3be1a6a11
The logging systems that are used at runtime, camel-k and the builder
pod are quarkus and maven.
Both of them do not use log4j, but jboss-logging and slf4j simple logging.
The next round of LTS release of apache camel will upgrade to log4j
2.15.0 that has the CVE fix.
But we are only using log4j during testing. But nevertheless it gives
some reassurance that anyhow log4j is used then its the fixed version.
> bye
> David
>
> On 12/13/21 11:40 AM, Claus Ibsen wrote:
> > On Mon, Dec 13, 2021 at 11:37 AM David Ecker <da...@ecker-software.de> wrote:
> >> Hi Claus,
> >>
> >> the information is from Red Hat, if I understood it correctly:
> >>
> >> https://access.redhat.com/security/vulnerabilities/RHSB-2021-009
> >>
> > Their product and upstream Camel K are not 100% identical.
> >
> >
> >> bye
> >> David
> >>
> >> On 12/13/21 11:32 AM, Claus Ibsen wrote:
> >>> On Mon, Dec 13, 2021 at 10:45 AM David Ecker <da...@ecker-software.de> wrote:
> >>>> Hi,
> >>>>
> >>>> since it looks like camel/camel-k is directly affected by the
> >>>> vulnerability; Is a patch or a workaround for camel-k already available?
> >>>>
> >>> Where do you think that?
> >>>
> >>> camel-k runs on quarkus that is not affected. Camel is a library that
> >>> do not use log4j - we use slf4j-api as logging abstraction.
> >>> the builder pod for camel-k is using apache maven, which uses the
> >>> simpler logging from slf4j.
> >>>
> >>> not sure where you think log4j-core is active in use in camel-k.
> >>>
> >>> A blot post is in draft at
> >>> https://github.com/apache/camel-website/pull/714
> >>>
> >>>> Thanks,
> >>>> David
> >>>
> >
>
--
Claus Ibsen
-----------------
http://davsclaus.com @davsclaus
Camel in Action 2: https://www.manning.com/ibsen2
Re: Apache Log4j Security Vulnerabilities
Posted by David Ecker <da...@ecker-software.de>.
Thanks,
one system less to fix.
bye
David
On 12/13/21 11:40 AM, Claus Ibsen wrote:
> On Mon, Dec 13, 2021 at 11:37 AM David Ecker <da...@ecker-software.de> wrote:
>> Hi Claus,
>>
>> the information is from Red Hat, if I understood it correctly:
>>
>> https://access.redhat.com/security/vulnerabilities/RHSB-2021-009
>>
> Their product and upstream Camel K are not 100% identical.
>
>
>> bye
>> David
>>
>> On 12/13/21 11:32 AM, Claus Ibsen wrote:
>>> On Mon, Dec 13, 2021 at 10:45 AM David Ecker <da...@ecker-software.de> wrote:
>>>> Hi,
>>>>
>>>> since it looks like camel/camel-k is directly affected by the
>>>> vulnerability; Is a patch or a workaround for camel-k already available?
>>>>
>>> Where do you think that?
>>>
>>> camel-k runs on quarkus that is not affected. Camel is a library that
>>> do not use log4j - we use slf4j-api as logging abstraction.
>>> the builder pod for camel-k is using apache maven, which uses the
>>> simpler logging from slf4j.
>>>
>>> not sure where you think log4j-core is active in use in camel-k.
>>>
>>> A blot post is in draft at
>>> https://github.com/apache/camel-website/pull/714
>>>
>>>> Thanks,
>>>> David
>>>
>
Re: Apache Log4j Security Vulnerabilities
Posted by Claus Ibsen <cl...@gmail.com>.
On Mon, Dec 13, 2021 at 11:37 AM David Ecker <da...@ecker-software.de> wrote:
>
> Hi Claus,
>
> the information is from Red Hat, if I understood it correctly:
>
> https://access.redhat.com/security/vulnerabilities/RHSB-2021-009
>
Their product and upstream Camel K are not 100% identical.
> bye
> David
>
> On 12/13/21 11:32 AM, Claus Ibsen wrote:
> > On Mon, Dec 13, 2021 at 10:45 AM David Ecker <da...@ecker-software.de> wrote:
> >> Hi,
> >>
> >> since it looks like camel/camel-k is directly affected by the
> >> vulnerability; Is a patch or a workaround for camel-k already available?
> >>
> > Where do you think that?
> >
> > camel-k runs on quarkus that is not affected. Camel is a library that
> > do not use log4j - we use slf4j-api as logging abstraction.
> > the builder pod for camel-k is using apache maven, which uses the
> > simpler logging from slf4j.
> >
> > not sure where you think log4j-core is active in use in camel-k.
> >
> > A blot post is in draft at
> > https://github.com/apache/camel-website/pull/714
> >
> >> Thanks,
> >> David
> >
> >
>
--
Claus Ibsen
-----------------
http://davsclaus.com @davsclaus
Camel in Action 2: https://www.manning.com/ibsen2
Re: Apache Log4j Security Vulnerabilities
Posted by Claus Ibsen <cl...@gmail.com>.
On Mon, Dec 13, 2021 at 11:37 AM David Ecker <da...@ecker-software.de> wrote:
>
> Hi Claus,
>
> the information is from Red Hat, if I understood it correctly:
>
> https://access.redhat.com/security/vulnerabilities/RHSB-2021-009
>
The blog post from Quarkus tells more why Red Hat reported Camel K /
Camel Quarkus as affected, due to log4j-core was shipped in a product
.zip download
(but as we known Camel is not affected)
https://quarkus.io/blog/quarkus-and-CVE-2021-4428/#red-hat-product-security-bulletin
> bye
> David
>
> On 12/13/21 11:32 AM, Claus Ibsen wrote:
> > On Mon, Dec 13, 2021 at 10:45 AM David Ecker <da...@ecker-software.de> wrote:
> >> Hi,
> >>
> >> since it looks like camel/camel-k is directly affected by the
> >> vulnerability; Is a patch or a workaround for camel-k already available?
> >>
> > Where do you think that?
> >
> > camel-k runs on quarkus that is not affected. Camel is a library that
> > do not use log4j - we use slf4j-api as logging abstraction.
> > the builder pod for camel-k is using apache maven, which uses the
> > simpler logging from slf4j.
> >
> > not sure where you think log4j-core is active in use in camel-k.
> >
> > A blot post is in draft at
> > https://github.com/apache/camel-website/pull/714
> >
> >> Thanks,
> >> David
> >
> >
>
--
Claus Ibsen
-----------------
http://davsclaus.com @davsclaus
Camel in Action 2: https://www.manning.com/ibsen2
Re: Apache Log4j Security Vulnerabilities
Posted by David Ecker <da...@ecker-software.de>.
Hi Claus,
the information is from Red Hat, if I understood it correctly:
https://access.redhat.com/security/vulnerabilities/RHSB-2021-009
bye
David
On 12/13/21 11:32 AM, Claus Ibsen wrote:
> On Mon, Dec 13, 2021 at 10:45 AM David Ecker <da...@ecker-software.de> wrote:
>> Hi,
>>
>> since it looks like camel/camel-k is directly affected by the
>> vulnerability; Is a patch or a workaround for camel-k already available?
>>
> Where do you think that?
>
> camel-k runs on quarkus that is not affected. Camel is a library that
> do not use log4j - we use slf4j-api as logging abstraction.
> the builder pod for camel-k is using apache maven, which uses the
> simpler logging from slf4j.
>
> not sure where you think log4j-core is active in use in camel-k.
>
> A blot post is in draft at
> https://github.com/apache/camel-website/pull/714
>
>> Thanks,
>> David
>
>
Re: Apache Log4j Security Vulnerabilities
Posted by Claus Ibsen <cl...@gmail.com>.
On Mon, Dec 13, 2021 at 10:45 AM David Ecker <da...@ecker-software.de> wrote:
>
> Hi,
>
> since it looks like camel/camel-k is directly affected by the
> vulnerability; Is a patch or a workaround for camel-k already available?
>
Where do you think that?
camel-k runs on quarkus that is not affected. Camel is a library that
do not use log4j - we use slf4j-api as logging abstraction.
the builder pod for camel-k is using apache maven, which uses the
simpler logging from slf4j.
not sure where you think log4j-core is active in use in camel-k.
A blot post is in draft at
https://github.com/apache/camel-website/pull/714
> Thanks,
> David
--
Claus Ibsen
-----------------
http://davsclaus.com @davsclaus
Camel in Action 2: https://www.manning.com/ibsen2