Dear all, First of all sorry for the very extended email. The reason about it is to share with you the security analysis of the FIWARE Generic Enablers that currently are under the scope of periodical monthly analysis. This data analysis has been developed after the critical issue detected with the Java Library Log4j from which you have received a previous email. The relevance of this email is not only to inform you the security analysis of the docker image that we did these days but also to inform you that some of our FIWARE Ecosystem member, precisely the WATERNET company has decided to dismiss the use of the Cygnus component due to a previous Critical Security Issue related to the CVE-2019-17571 also related to Log4j. This is not a good information and probably other companies might take the same action in production environment, specially if we are talking about critical infrastructure management. They are requesting us to know when should be available a new version to correct this issue. Both CVE-2021-44228 and CVE-2019-17571, are issues identified with high base score (10 and 9.8) and with Severity: Critical, but they are not the only ones... Giving that, I make a data analysis of the last report generated by our tool, specially related to the following FIWARE Generic Enablers: - Cygnus - Draco - IoTAgent-SigFox - Keyrock - Orion-LD - Orion - Stellio API - Stellio Entity Service - Stellio Search Service - Stellio Subscription Service - Stellio Timescale PostGIS - Wilma For all of them you have received each month the security report with the identified vulnerabilities. I have extracted from the report generated yesterday the following analysis focussing in the issues with a base score bigger than 9. For reducing the size of the email, I do not put here all of the identified security issues, but I can provide you if you want. Nevertheless, this is something that can be extracted from the security reports as well. At the moment, I have no identified CVE-2021-44228 on these enablers in the docker image version latest but I have identified the CVE-2019-17571 in Cygnus and Draco. These are not the only one, there are other issues identified as Critical in the reports. Therefore, from the point of view of reputation of the FIWARE Community, we should work to resolve those critical security issues as soon as possible. We expected to extend the analysis to the rest of components in the following weeks with your help. *Cygnus* Summary of vulnerabilities of Cygnus Number of vulnerabilities: 1807 Number of vulnerabilities without NVD Data: 0 Number of vulnerabilities with NVD Data: 1807 Number of vulnerabilities with CVSS v2 Base Score > 9: 27 Number of vulnerabilities with CVSS v3 Base Score > 9: 274 *Draco* Summary of vulnerabilities of Draco Number of vulnerabilities: 263 Number of vulnerabilities without NVD Data: 0 Number of vulnerabilities with NVD Data: 263 Number of vulnerabilities with CVSS v2 Base Score > 9: 1 Number of vulnerabilities with CVSS v3 Base Score > 9: 10 *IoTAgent SigFox* Summary of vulnerabilities of IoTAgent SigFox Number of vulnerabilities: 31 Number of vulnerabilities without NVD Data: 0 Number of vulnerabilities with NVD Data: 31 Number of vulnerabilities with CVSS v2 Base Score > 9: 2 Number of vulnerabilities with CVSS v3 Base Score > 9: 4 *Keyrock* Summary of vulnerabilities of Keyrock Number of vulnerabilities: 120 Number of vulnerabilities without NVD Data: 4 Number of vulnerabilities with NVD Data: 116 Number of vulnerabilities with CVSS v2 Base Score > 9: 1 Number of vulnerabilities with CVSS v3 Base Score > 9: 17 *Orion-LD* Summary of vulnerabilities of Orion-LD Number of vulnerabilities: 100 Number of vulnerabilities without NVD Data: 19 Number of vulnerabilities with NVD Data: 81 Number of vulnerabilities with CVSS v2 Base Score > 9: 0 Number of vulnerabilities with CVSS v3 Base Score > 9: 11 *Orion* Summary of vulnerabilities of Orion Number of vulnerabilities: 207 Number of vulnerabilities without NVD Data: 22 Number of vulnerabilities with NVD Data: 185 Number of vulnerabilities with CVSS v2 Base Score > 9: 0 Number of vulnerabilities with CVSS v3 Base Score > 9: 18 *Stellio API* Summary of vulnerabilities of Stellio API Number of vulnerabilities: 82 Number of vulnerabilities without NVD Data: 1 Number of vulnerabilities with NVD Data: 81 Number of vulnerabilities with CVSS v2 Base Score > 9: 0 Number of vulnerabilities with CVSS v3 Base Score > 9: 10 *Stellio Entry Service* Summary of vulnerabilities of Stellio Entry Service Number of vulnerabilities: 22 Number of vulnerabilities without NVD Data: 0 Number of vulnerabilities with NVD Data: 22 Number of vulnerabilities with CVSS v2 Base Score > 9: 0 Number of vulnerabilities with CVSS v3 Base Score > 9: 4 *Stellio Search Service* Summary of vulnerabilities of Stellio Search Service Number of vulnerabilities: 103 Number of vulnerabilities without NVD Data: 1 Number of vulnerabilities with NVD Data: 102 Number of vulnerabilities with CVSS v2 Base Score > 9: 0 Number of vulnerabilities with CVSS v3 Base Score > 9: 14 *Stellio Subscription Service* Summary of vulnerabilities of Stellio Subscription Service Number of vulnerabilities: 114 Number of vulnerabilities without NVD Data: 1 Number of vulnerabilities with NVD Data: 113 Number of vulnerabilities with CVSS v2 Base Score > 9: 0 Number of vulnerabilities with CVSS v3 Base Score > 9: 17 *Stellio Timescale PostGIS* Summary of vulnerabilities of Stellio Timescale PostGIS Number of vulnerabilities: 90 Number of vulnerabilities without NVD Data: 3 Number of vulnerabilities with NVD Data: 87 Number of vulnerabilities with CVSS v2 Base Score > 9: 0 Number of vulnerabilities with CVSS v3 Base Score > 9: 4 *Wilma* Summary of vulnerabilities of Wilma Number of vulnerabilities: 29 Number of vulnerabilities without NVD Data: 0 Number of vulnerabilities with NVD Data: 29 Number of vulnerabilities with CVSS v2 Base Score > 9: 1 Number of vulnerabilities with CVSS v3 Base Score > 9: 2 On 14.12.21 17:10, Jason Fox wrote: > As I am sure you are all aware, a new critical vulnerability in Log4j > has been discovered which is likely to affect a very wide range of > open source software. > > You can just search for *Log4Shell* on the internet, but here are a > couple of background links for information > > * https://venturebeat.com/2021/12/10/the-log4j-vulnerability-is-bad-heres-the-good-news/ > * https://www.wired.com/story/log4j-log4shell/ > > > > Kazuhito Suda has kindly provided a first analysis of likely effect > across FIWARE Components. Please check to see if you are affected and > update to a patched > version as soon as possible. Failure to upgrade in a timely manner is > a reputational risk, which is highly likely to damage the perceived > trustworthiness of your company > and indeed FIWARE as whole. > > > This list should not be considered as comprehensive, everyone should > also undertake a risk analysis of your own of course. > > Please patch and update your software and add a new tagged release of > your component. The updated version will automatically be added to the > releases branch > Of the FIWARE Catalogue. In additionally, the FIWARE Foundation will > be labelling a *FIWARE 8.2 *umbrella release at year end release to > ensure the latest patches > Batched and are consistently available. The usual FIWARE release > notification eMail will appear in due course. > > Regards, > > Jason > > > > > > Jason Fox > Technical Evangelist > Jason.fox at fiware.org <mailto:juanjose.hierro at fiware.org> > www.linkedin.com/in/jason-fox-8a79563 > <https://www.linkedin.com/in/jhierro> > > > >> Begin forwarded message: >> >> *From: *<kazuhito at fisuda.jp> >> *Subject: *****Vulnerability*** Apache Log4j (CVE-2021-44228)* >> *Date: *14. December 2021 at 07:41:58 CET >> *To: *"'Juanjo Hierro'" <juanjose.hierro at fiware.org> >> *Cc: *"'Stefano De Panfilis'" <stefano.depanfilis at fiware.org>, >> "'Jason Fox'" <jason.fox at fiware.org> >> >> Dear Juanjo, >> I share you information about a critical vulnerability in Apache >> Log4j and its impact on FIWARE GEs. >> On December 9, 2021, Apache software foundation published a critical >> vulnerability (CVSS score 10.0) in Apache Log4j, a Java logging >> library. FIWARE GEs written by Java may be affected by this >> vulnerability. >> Please have a look at the CVE-2021-44228 in the following link: >> https://logging.apache.org/log4j/2.x/ >> The Log4j version 1.x does not have this vulnerability. Because it >> does not have Lookupsfeature. But the Log4j version 1.x is a EOL product. >> I'm running FIWARE instances in the cloud, so I investigated its >> impact on FIWARE GEs which I use. But please keep in mind that this >> is not perfect. I hope that FIWARE GE owners will investigate this >> effect. >> - Cygnus 2.15.0 >> Cygnus uses Log4j 1.2.17, so it is not affected by this vulnerability. >> https://github.com/telefonicaid/fiware-cygnus/blob/master/cygnus-common/pom.xml#L85 >> https://github.com/telefonicaid/fiware-cygnus/blob/master/cygnus-ngsi/pom.xml#L40 >> https://github.com/telefonicaid/fiware-cygnus/blob/master/cygnus-ngsi-ld/pom.xml#L41 >> https://github.com/telefonicaid/fiware-cygnus/blob/master/cygnus-twitter/pom.xml#L42 >> - Preseo-core >> Perseo-core uses Log4j 1.2.17, so it is not affected by this >> vulnerability. >> https://github.com/telefonicaid/perseo-core/blob/master/perseo-utils/pom.xml#L50 >> - WireCloud 1.3 >> WireCloud 1.3 depends on Elasticsearch 2.4. >> https://github.com/Wirecloud/docker-wirecloud/blob/master/1.3/docker-compose.yml >> >> Elasticsearch 2.4 uses Log4j 1.2.17, so it is not affected by this >> vulnerability. >> >> https://github.com/elastic/elasticsearch/blob/2.4/pom.xml#L66 >> - Draco >> Draco depends on Apache Nifi. Apache Nifi had this vulnerability and >> fixed it. Draco may be affected by this vulnerability >> NIFI-9482 Upgrade Log4j 2 from 2.15.0 to 2.16.0 #5600 >> https://github.com/apache/nifi/pull/5600 >> - Quantumleap >> Quantumleap depends on CrateDB. CrateDB had this vulnerability and >> fixed it. Quantumleap may be affected by this vulnerability. >> Update log4j to 2.15.0 (backport #11968) #11970 >> https://github.com/crate/crate/pull/11970 >> - Scorpio >> Scorpio depends on Apache Kafka. But probably Kafka may be not >> affected by this vulnerability. >> security - Which version of Kafka are impacted due to log4j >> CVE-2021-44228? - Stack Overflow >> <https://stackoverflow.com/questions/70315574/which-version-of-kafka-are-impacted-due-to-log4j-cve-2021-44228> >> - Knowage >> Knowage server uses Llog4j 1.2.16, so it is not affected by this >> vulnerability. >> https://github.com/KnowageLabs/Knowage-Server/blob/master/knowage-api/pom.xml#L109 >> - CKAN >> CKAN depends on Apache Solr. >> https://solr.apache.org/security.html >> 2021-12-10, Apache Solr affected by Apache Log4J CVE-2021-44228 >> Severity: Critical >> Versions Affected: 7.4.0 to 7.7.3, 8.0.0 to 8.11.0 >> Best regards, >> Kazuhito >> Begin forwarded message: > > __________________________________________________________________________________________ > > You can get more information about our cookies and privacy policies on the following links: > -https://wiki.fiware.org/FIWARE_Privacy_Policy > -https://wiki.fiware.org/Cookies_Policy_FIWARE > > > fiware-technical-committee mailing list > fiware-technical-committee at lists.fiware.org > > To unsubscribe from fiware-technical-committee mailing list, go to the information page of the list at: > https://lists.fiware.org/listinfo/fiware-technical-committee > -- Document Fernando López Aguilar FIWARE Cloud & Platform Senior Expert M. +49 1522 2600767 fernando.lopez at fiware.org www.fiware.org <https://www.fiware.org/> Twitter: @fiware <https://twitter.com/fiware> @flopezaguilar <https://twitter.com/flopezaguilar> <https://nexus.lab.fiware.org/fiware.signature> -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211215/f0620202/attachment-0001.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: TqwlhUC26ZlGqTZL.png Type: image/png Size: 23638 bytes Desc: not available URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211215/f0620202/attachment-0026.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: SdERo0cJqpplwcvK.png Type: image/png Size: 21728 bytes Desc: not available URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211215/f0620202/attachment-0027.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: GESVfqs0DCDoIKXY.png Type: image/png Size: 23562 bytes Desc: not available URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211215/f0620202/attachment-0028.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: gX7EwNF0j1i09dr9.png Type: image/png Size: 21917 bytes Desc: not available URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211215/f0620202/attachment-0029.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: HM5qnMgDlgJBzHiv.png Type: image/png Size: 20375 bytes Desc: not available URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211215/f0620202/attachment-0030.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: UZdEHLJYeIoq40pk.png Type: image/png Size: 22167 bytes Desc: not available URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211215/f0620202/attachment-0031.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: 0NRrIumrB0qlyz0G.png Type: image/png Size: 23613 bytes Desc: not available URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211215/f0620202/attachment-0032.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: fE7WYpnqozM9BlPK.png Type: image/png Size: 21321 bytes Desc: not available URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211215/f0620202/attachment-0033.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: Jhz73jm3uWw0O8Jz.png Type: image/png Size: 21390 bytes Desc: not available URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211215/f0620202/attachment-0034.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: eZegvJkUWTbxNKPR.png Type: image/png Size: 20615 bytes Desc: not available URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211215/f0620202/attachment-0035.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: gP7qT0snWiqK4jrC.png Type: image/png Size: 21959 bytes Desc: not available URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211215/f0620202/attachment-0036.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: qp36eJ3GqIpPcNOu.png Type: image/png Size: 21823 bytes Desc: not available URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211215/f0620202/attachment-0037.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: ihqgJO5FCFFsJ5Bo.png Type: image/png Size: 21788 bytes Desc: not available URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211215/f0620202/attachment-0038.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: sD1SDp1gQvzzl580.png Type: image/png Size: 21855 bytes Desc: not available URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211215/f0620202/attachment-0039.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: TbbYTcy4vLbb1F0a.png Type: image/png Size: 23614 bytes Desc: not available URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211215/f0620202/attachment-0040.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: 0aDiI8nsUc5zKxiD.png Type: image/png Size: 23695 bytes Desc: not available URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211215/f0620202/attachment-0041.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: 1xTY2UXWa5vQW8xI.png Type: image/png Size: 24188 bytes Desc: not available URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211215/f0620202/attachment-0042.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: 6XOinMSgO85jesfv.png Type: image/png Size: 23644 bytes Desc: not available URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211215/f0620202/attachment-0043.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: HiEJDeMyn6BxPIKk.png Type: image/png Size: 24824 bytes Desc: not available URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211215/f0620202/attachment-0044.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: z0mnHbLJhB7Fubpw.png Type: image/png Size: 24429 bytes Desc: not available URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211215/f0620202/attachment-0045.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: D7DYIgEfFBN3NiOM.png Type: image/png Size: 22490 bytes Desc: not available URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211215/f0620202/attachment-0046.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: x9RNSk3G9qoSXEhy.png Type: image/png Size: 24978 bytes Desc: not available URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211215/f0620202/attachment-0047.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: TTiojoZ0HwtgqOzc.png Type: image/png Size: 20284 bytes Desc: not available URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211215/f0620202/attachment-0048.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: DroxnCRYdG8MrPrK.png Type: image/png Size: 21437 bytes Desc: not available URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211215/f0620202/attachment-0049.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: foundation-logo.png Type: image/png Size: 8201 bytes Desc: not available URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211215/f0620202/attachment-0050.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: Foundation-logo.png Type: image/png Size: 8201 bytes Desc: not available URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211215/f0620202/attachment-0051.png>
You can get more information about our cookies and privacy policies clicking on the following links: Privacy policy Cookies policy