Dear Jason, Kazuhito, Thanks a lot for the information. We are testing ql with the 4.6 version where the crate team is backporting the fix. I wonder if anyhow there should be some specific actions beyond that, i.e. should be signal on the readme the risk if using crate 4.5 series (and probably more than this series)? Cheers, *Dr. FEDERICO MICHELE FACCA* *CTO, Head of Martel Lab* +41 788075838 *MARTEL INNOVATE* <https://www.martel-innovate.com/> - INNOVATION, WE MAKE IT HAPPEN Click *HERE* to download Martel reports and white papers! <https://www.martel-innovate.com/premium-content/> Follow us on *TWITTER* <https://twitter.com/Martel_Innovate> On Tue, 14 Dec 2021 at 17:10, Jason Fox <jason.fox at fiware.org> wrote: > As I am sure you are all aware, a new critical vulnerability in Log4j has > been discovered which is likely to affect a very wide range of open source > software. > > You can just search for *Log4Shell* on the internet, but here are a > couple of background links for information > > > - > https://venturebeat.com/2021/12/10/the-log4j-vulnerability-is-bad-heres-the-good-news/ > - https://www.wired.com/story/log4j-log4shell/ > > > > Kazuhito Suda has kindly provided a first analysis of likely effect across > FIWARE Components. Please check to see if you are affected and update to a > patched > version as soon as possible. Failure to upgrade in a timely manner is a > reputational risk, which is highly likely to damage the perceived > trustworthiness of your company > and indeed FIWARE as whole. > > > This list should not be considered as comprehensive, everyone should also > undertake a risk analysis of your own of course. > > Please patch and update your software and add a new tagged release of your > component. The updated version will automatically be added to the releases > branch > Of the FIWARE Catalogue. In additionally, the FIWARE Foundation will be > labelling a *FIWARE 8.2 *umbrella release at year end release to ensure > the latest patches > Batched and are consistently available. The usual FIWARE release > notification eMail will appear in due course. > > Regards, > > Jason > > > > > > Jason Fox > Technical Evangelist > Jason.fox at fiware.org <juanjose.hierro at fiware.org> > www.linkedin.com/in/jason-fox-8a79563 > <https://www.linkedin.com/in/jhierro> > > > > Begin forwarded message: > > *From: *<kazuhito at fisuda.jp> > *Subject: *****Vulnerability*** Apache Log4j (CVE-2021-44228)* > *Date: *14. December 2021 at 07:41:58 CET > *To: *"'Juanjo Hierro'" <juanjose.hierro at fiware.org> > *Cc: *"'Stefano De Panfilis'" <stefano.depanfilis at fiware.org>, "'Jason > Fox'" <jason.fox at fiware.org> > > Dear Juanjo, > > I share you information about a critical vulnerability in Apache Log4j and > its impact on FIWARE GEs. > > On December 9, 2021, Apache software foundation published a critical > vulnerability (CVSS score 10.0) in Apache Log4j, a Java logging library. > FIWARE GEs written by Java may be affected by this vulnerability. > > Please have a look at the CVE-2021-44228 in the following link: > https://logging.apache.org/log4j/2.x/ > > The Log4j version 1.x does not have this vulnerability. Because it does > not have Lookups feature. But the Log4j version 1.x is a EOL product. > > I'm running FIWARE instances in the cloud, so I investigated its impact on > FIWARE GEs which I use. But please keep in mind that this is not perfect. I > hope that FIWARE GE owners will investigate this effect. > > - Cygnus 2.15.0 > Cygnus uses Log4j 1.2.17, so it is not affected by this vulnerability. > > > https://github.com/telefonicaid/fiware-cygnus/blob/master/cygnus-common/pom.xml#L85 > > https://github.com/telefonicaid/fiware-cygnus/blob/master/cygnus-ngsi/pom.xml#L40 > > https://github.com/telefonicaid/fiware-cygnus/blob/master/cygnus-ngsi-ld/pom.xml#L41 > > https://github.com/telefonicaid/fiware-cygnus/blob/master/cygnus-twitter/pom.xml#L42 > > - Preseo-core > Perseo-core uses Log4j 1.2.17, so it is not affected by this vulnerability. > > https://github.com/telefonicaid/perseo-core/blob/master/perseo-utils/pom.xml#L50 > > - WireCloud 1.3 > WireCloud 1.3 depends on Elasticsearch 2.4. > > https://github.com/Wirecloud/docker-wirecloud/blob/master/1.3/docker-compose.yml > > > Elasticsearch 2.4 uses Log4j 1.2.17, so it is not affected by this > vulnerability. > https://github.com/elastic/elasticsearch/blob/2.4/pom.xml#L66 > > - Draco > Draco depends on Apache Nifi. Apache Nifi had this vulnerability and fixed > it. Draco may be affected by this vulnerability > > NIFI-9482 Upgrade Log4j 2 from 2.15.0 to 2.16.0 #5600 > https://github.com/apache/nifi/pull/5600 > > - Quantumleap > Quantumleap depends on CrateDB. CrateDB had this vulnerability and fixed > it. Quantumleap may be affected by this vulnerability. > > Update log4j to 2.15.0 (backport #11968) #11970 > https://github.com/crate/crate/pull/11970 > > - Scorpio > Scorpio depends on Apache Kafka. But probably Kafka may be not affected > by this vulnerability. > > security - Which version of Kafka are impacted due to log4j > CVE-2021-44228? - Stack Overflow > <https://stackoverflow.com/questions/70315574/which-version-of-kafka-are-impacted-due-to-log4j-cve-2021-44228> > > - Knowage > Knowage server uses Llog4j 1.2.16, so it is not affected by this > vulnerability. > > https://github.com/KnowageLabs/Knowage-Server/blob/master/knowage-api/pom.xml#L109 > > - CKAN > CKAN depends on Apache Solr. > https://solr.apache.org/security.html > 2021-12-10, Apache Solr affected by Apache Log4J CVE-2021-44228 > Severity: Critical > Versions Affected: 7.4.0 to 7.7.3, 8.0.0 to 8.11.0 > > > Best regards, > Kazuhito > > Begin forwarded message: > > > __________________________________________________________________________________________ > > You can get more information about our cookies and privacy policies on the > following links: > - https://wiki.fiware.org/FIWARE_Privacy_Policy > - https://wiki.fiware.org/Cookies_Policy_FIWARE > > > fiware-technical-committee mailing list > fiware-technical-committee at lists.fiware.org > > To unsubscribe from fiware-technical-committee mailing list, go to the > information page of the list at: > https://lists.fiware.org/listinfo/fiware-technical-committee > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211214/86a4a3e8/attachment-0001.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: foundation-logo.png Type: image/png Size: 8201 bytes Desc: not available URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211214/86a4a3e8/attachment-0001.png>
You can get more information about our cookies and privacy policies clicking on the following links: Privacy policy Cookies policy