This is an additional information. - Important: Security Vulnerability CVE-2021-45046 (logging.apache.org) The Log4j team has been made aware of a security vulnerability, CVE-2021-45046, that has been addressed in Log4j 2.12.2 for Java 7 and 2.16.0 for Java 8 and up. https://logging.apache.org/log4j/2.x/ - CVE-2021-45046 Detail (nvd.nist.gov) It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default. https://nvd.nist.gov/vuln/detail/CVE-2021-45046 Best regards, Kazuhito From: fiware-technical-committee-bounces at lists.fiware.org <fiware-technical-committee-bounces at lists.fiware.org> On Behalf Of Federico Michele Facca Sent: Wednesday, December 15, 2021 2:07 AM To: Jason Fox <jason.fox at fiware.org> Cc: fiware-ge-owners at lists.fiware.org; FIWARE TSC <fiware-technical-committee at lists.fiware.org> Subject: Re: [Fiware-technical-committee] Critical Vulnerability in Log4j: Log4Shell Dear Jason, Kazuhito, Thanks a lot for the information. We are testing ql with the 4.6 version where the crate team is backporting the fix. I wonder if anyhow there should be some specific actions beyond that, i.e. should be signal on the readme the risk if using crate 4.5 series (and probably more than this series)? Cheers, Dr. FEDERICO MICHELE FACCA CTO, Head of Martel Lab +41 788075838 <https://www.martel-innovate.com/> MARTEL INNOVATE - INNOVATION, WE MAKE IT HAPPEN <https://www.martel-innovate.com/premium-content/> Click HERE to download Martel reports and white papers! <https://twitter.com/Martel_Innovate> Follow us on TWITTER On Tue, 14 Dec 2021 at 17:10, Jason Fox <jason.fox at fiware.org <mailto:jason.fox at fiware.org> > wrote: As I am sure you are all aware, a new critical vulnerability in Log4j has been discovered which is likely to affect a very wide range of open source software. You can just search for Log4Shell on the internet, but here are a couple of background links for information * https://venturebeat.com/2021/12/10/the-log4j-vulnerability-is-bad-heres-the-good-news/ * https://www.wired.com/story/log4j-log4shell/ Kazuhito Suda has kindly provided a first analysis of likely effect across FIWARE Components. Please check to see if you are affected and update to a patched version as soon as possible. Failure to upgrade in a timely manner is a reputational risk, which is highly likely to damage the perceived trustworthiness of your company and indeed FIWARE as whole. This list should not be considered as comprehensive, everyone should also undertake a risk analysis of your own of course. Please patch and update your software and add a new tagged release of your component. The updated version will automatically be added to the releases branch Of the FIWARE Catalogue. In additionally, the FIWARE Foundation will be labelling a FIWARE 8.2 umbrella release at year end release to ensure the latest patches Batched and are consistently available. The usual FIWARE release notification eMail will appear in due course. Regards, Jason Jason Fox Technical Evangelist Jason.fox at fiware.org <mailto:juanjose.hierro at fiware.org> www.linkedin.com/in/jason-fox-8a79563 <https://www.linkedin.com/in/jhierro> Begin forwarded message: From: <kazuhito at fisuda.jp <mailto:kazuhito at fisuda.jp> > Subject: ***Vulnerability*** Apache Log4j (CVE-2021-44228) Date: 14. December 2021 at 07:41:58 CET To: "'Juanjo Hierro'" <juanjose.hierro at fiware.org <mailto:juanjose.hierro at fiware.org> > Cc: "'Stefano De Panfilis'" <stefano.depanfilis at fiware.org <mailto:stefano.depanfilis at fiware.org> >, "'Jason Fox'" <jason.fox at fiware.org <mailto:jason.fox at fiware.org> > Dear Juanjo, I share you information about a critical vulnerability in Apache Log4j and its impact on FIWARE GEs. On December 9, 2021, Apache software foundation published a critical vulnerability (CVSS score 10.0) in Apache Log4j, a Java logging library. FIWARE GEs written by Java may be affected by this vulnerability. Please have a look at the CVE-2021-44228 in the following link: https://logging.apache.org/log4j/2.x/ The Log4j version 1.x does not have this vulnerability. Because it does not have Lookups feature. But the Log4j version 1.x is a EOL product. I'm running FIWARE instances in the cloud, so I investigated its impact on FIWARE GEs which I use. But please keep in mind that this is not perfect. I hope that FIWARE GE owners will investigate this effect. - Cygnus 2.15.0 Cygnus uses Log4j 1.2.17, so it is not affected by this vulnerability. https://github.com/telefonicaid/fiware-cygnus/blob/master/cygnus-common/pom.xml#L85 https://github.com/telefonicaid/fiware-cygnus/blob/master/cygnus-ngsi/pom.xml#L40 https://github.com/telefonicaid/fiware-cygnus/blob/master/cygnus-ngsi-ld/pom.xml#L41 https://github.com/telefonicaid/fiware-cygnus/blob/master/cygnus-twitter/pom.xml#L42 - Preseo-core Perseo-core uses Log4j 1.2.17, so it is not affected by this vulnerability. https://github.com/telefonicaid/perseo-core/blob/master/perseo-utils/pom.xml#L50 - WireCloud 1.3 WireCloud 1.3 depends on Elasticsearch 2.4. https://github.com/Wirecloud/docker-wirecloud/blob/master/1.3/docker-compose.yml Elasticsearch 2.4 uses Log4j 1.2.17, so it is not affected by this vulnerability. https://github.com/elastic/elasticsearch/blob/2.4/pom.xml#L66 - Draco Draco depends on Apache Nifi. Apache Nifi had this vulnerability and fixed it. Draco may be affected by this vulnerability NIFI-9482 Upgrade Log4j 2 from 2.15.0 to 2.16.0 #5600 https://github.com/apache/nifi/pull/5600 - Quantumleap Quantumleap depends on CrateDB. CrateDB had this vulnerability and fixed it. Quantumleap may be affected by this vulnerability. Update log4j to 2.15.0 (backport #11968) #11970 https://github.com/crate/crate/pull/11970 - Scorpio Scorpio depends on Apache Kafka. But probably Kafka may be not affected by this vulnerability. security - Which version of Kafka are impacted due to log4j CVE-2021-44228? - Stack Overflow <https://stackoverflow.com/questions/70315574/which-version-of-kafka-are-impacted-due-to-log4j-cve-2021-44228> - Knowage Knowage server uses Llog4j 1.2.16, so it is not affected by this vulnerability. https://github.com/KnowageLabs/Knowage-Server/blob/master/knowage-api/pom.xml#L109 - CKAN CKAN depends on Apache Solr. https://solr.apache.org/security.html 2021-12-10, Apache Solr affected by Apache Log4J CVE-2021-44228 Severity: Critical Versions Affected: 7.4.0 to 7.7.3, 8.0.0 to 8.11.0 Best regards, Kazuhito Begin forwarded message: __________________________________________________________________________________________ You can get more information about our cookies and privacy policies on the following links: - https://wiki.fiware.org/FIWARE_Privacy_Policy - https://wiki.fiware.org/Cookies_Policy_FIWARE fiware-technical-committee mailing list fiware-technical-committee at lists.fiware.org <mailto:fiware-technical-committee at lists.fiware.org> To unsubscribe from fiware-technical-committee mailing list, go to the information page of the list at: https://lists.fiware.org/listinfo/fiware-technical-committee -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.fiware.org/private/fiware-ge-owners/attachments/20211215/2a27d3bc/attachment-0001.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 8201 bytes Desc: not available URL: <https://lists.fiware.org/private/fiware-ge-owners/attachments/20211215/2a27d3bc/attachment-0001.png>
You can get more information about our cookies and privacy policies clicking on the following links: Privacy policy Cookies policy