As I am sure you are all aware, a new critical vulnerability in Log4j has been discovered which is likely to affect a very wide range of open source software. You can just search for Log4Shell on the internet, but here are a couple of background links for information https://venturebeat.com/2021/12/10/the-log4j-vulnerability-is-bad-heres-the-good-news/ <https://venturebeat.com/2021/12/10/the-log4j-vulnerability-is-bad-heres-the-good-news/> https://www.wired.com/story/log4j-log4shell/ <https://www.wired.com/story/log4j-log4shell/> Kazuhito Suda has kindly provided a first analysis of likely effect across FIWARE Components. Please check to see if you are affected and update to a patched version as soon as possible. Failure to upgrade in a timely manner is a reputational risk, which is highly likely to damage the perceived trustworthiness of your company and indeed FIWARE as whole. This list should not be considered as comprehensive, everyone should also undertake a risk analysis of your own of course. Please patch and update your software and add a new tagged release of your component. The updated version will automatically be added to the releases branch Of the FIWARE Catalogue. In additionally, the FIWARE Foundation will be labelling a FIWARE 8.2 umbrella release at year end release to ensure the latest patches Batched and are consistently available. The usual FIWARE release notification eMail will appear in due course. Regards, Jason Jason Fox Technical Evangelist Jason.fox at fiware.org <mailto:juanjose.hierro at fiware.org> www.linkedin.com/in/jason-fox-8a79563 <https://www.linkedin.com/in/jhierro> > Begin forwarded message: > > From: <kazuhito at fisuda.jp> > Subject: ***Vulnerability*** Apache Log4j (CVE-2021-44228) > Date: 14. December 2021 at 07:41:58 CET > To: "'Juanjo Hierro'" <juanjose.hierro at fiware.org> > Cc: "'Stefano De Panfilis'" <stefano.depanfilis at fiware.org>, "'Jason Fox'" <jason.fox at fiware.org> > > Dear Juanjo, > > I share you information about a critical vulnerability in Apache Log4j and its impact on FIWARE GEs. > > On December 9, 2021, Apache software foundation published a critical vulnerability (CVSS score 10.0) in Apache Log4j, a Java logging library. FIWARE GEs written by Java may be affected by this vulnerability. > > Please have a look at the CVE-2021-44228 in the following link: > https://logging.apache.org/log4j/2.x/ <https://logging.apache.org/log4j/2.x/> > > The Log4j version 1.x does not have this vulnerability. Because it does not have Lookups feature. But the Log4j version 1.x is a EOL product. > > I'm running FIWARE instances in the cloud, so I investigated its impact on FIWARE GEs which I use. But please keep in mind that this is not perfect. I hope that FIWARE GE owners will investigate this effect. > > - Cygnus 2.15.0 > Cygnus uses Log4j 1.2.17, so it is not affected by this vulnerability. > > https://github.com/telefonicaid/fiware-cygnus/blob/master/cygnus-common/pom.xml#L85 <https://github.com/telefonicaid/fiware-cygnus/blob/master/cygnus-common/pom.xml#L85> > https://github.com/telefonicaid/fiware-cygnus/blob/master/cygnus-ngsi/pom.xml#L40 <https://github.com/telefonicaid/fiware-cygnus/blob/master/cygnus-ngsi/pom.xml#L40> > https://github.com/telefonicaid/fiware-cygnus/blob/master/cygnus-ngsi-ld/pom.xml#L41 <https://github.com/telefonicaid/fiware-cygnus/blob/master/cygnus-ngsi-ld/pom.xml#L41> > https://github.com/telefonicaid/fiware-cygnus/blob/master/cygnus-twitter/pom.xml#L42 <https://github.com/telefonicaid/fiware-cygnus/blob/master/cygnus-twitter/pom.xml#L42> > > - Preseo-core > Perseo-core uses Log4j 1.2.17, so it is not affected by this vulnerability. > https://github.com/telefonicaid/perseo-core/blob/master/perseo-utils/pom.xml#L50 <https://github.com/telefonicaid/perseo-core/blob/master/perseo-utils/pom.xml#L50> > > - WireCloud 1.3 > WireCloud 1.3 depends on Elasticsearch 2.4. > https://github.com/Wirecloud/docker-wirecloud/blob/master/1.3/docker-compose.yml <https://github.com/Wirecloud/docker-wirecloud/blob/master/1.3/docker-compose.yml> > > Elasticsearch 2.4 uses Log4j 1.2.17, so it is not affected by this vulnerability. > https://github.com/elastic/elasticsearch/blob/2.4/pom.xml#L66 <https://github.com/elastic/elasticsearch/blob/2.4/pom.xml#L66> > > - Draco > Draco depends on Apache Nifi. Apache Nifi had this vulnerability and fixed it. Draco may be affected by this vulnerability > > NIFI-9482 Upgrade Log4j 2 from 2.15.0 to 2.16.0 #5600 > https://github.com/apache/nifi/pull/5600 <https://github.com/apache/nifi/pull/5600> > > - Quantumleap > Quantumleap depends on CrateDB. CrateDB had this vulnerability and fixed it. Quantumleap may be affected by this vulnerability. > > Update log4j to 2.15.0 (backport #11968) #11970 > https://github.com/crate/crate/pull/11970 <https://github.com/crate/crate/pull/11970> > > - Scorpio > Scorpio depends on Apache Kafka. But probably Kafka may be not affected by this vulnerability. > > security - Which version of Kafka are impacted due to log4j CVE-2021-44228? - Stack Overflow <https://stackoverflow.com/questions/70315574/which-version-of-kafka-are-impacted-due-to-log4j-cve-2021-44228> > > - Knowage > Knowage server uses Llog4j 1.2.16, so it is not affected by this vulnerability. > https://github.com/KnowageLabs/Knowage-Server/blob/master/knowage-api/pom.xml#L109 <https://github.com/KnowageLabs/Knowage-Server/blob/master/knowage-api/pom.xml#L109> > > - CKAN > CKAN depends on Apache Solr. > https://solr.apache.org/security.html <https://solr.apache.org/security.html> > 2021-12-10, Apache Solr affected by Apache Log4J CVE-2021-44228 > Severity: Critical > Versions Affected: 7.4.0 to 7.7.3, 8.0.0 to 8.11.0 > > > Best regards, > Kazuhito > Begin forwarded message: -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.fiware.org/private/fiware-ge-owners/attachments/20211214/ede9891c/attachment-0001.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: foundation-logo.png Type: image/png Size: 8201 bytes Desc: not available URL: <https://lists.fiware.org/private/fiware-ge-owners/attachments/20211214/ede9891c/attachment-0001.png>
You can get more information about our cookies and privacy policies clicking on the following links: Privacy policy Cookies policy