Dear Fernando, With regards to Cygnus (which is explicitly mentioned) note that CVE-2019-17571 is not having any impact, as Cygnus doesn’t uses SocketAppender, which is used in sequence by SockerServer class affected by the vulnerability. Anyway, it is worth noting that Cygnus is a CB connector which doesn’t expose any API, so the probably of doing any injection attack in log4j library is 0 from a practical point of view. With regards to the reports, as general comment, I’m afraid this email it not useful. It only show statistic information regarding each component, but not information that allow us to know if a given vulnerability is relevant for the component and, in positive case, which actions to take so solve it. For instance, it is not useful for me to know that in Orion we have 10 vulnerabilities of type “CVSS v3 Base Score” (whatever that means ☺). What brings value is to know which vulnerabilities are, if they affect Orion or not and, in positive case, how to solve them. Could you provide such detailed information, please? Best regards, ------ Fermín De: fiware-technical-committee-bounces at lists.fiware.org <fiware-technical-committee-bounces at lists.fiware.org> En nombre de Fernando Lopez Enviado el: miércoles, 15 de diciembre de 2021 16:58 Para: fiware-technical-committee at lists.fiware.org CC: Ulrich Ahle <ulrich.ahle at fiware.org> Asunto: [Fiware-technical-committee] [VERY URGENT] Critical Vulnerability in Log4j: Log4Shell Importancia: Alta Dear all, First of all sorry for the very extended email. The reason about it is to share with you the security analysis of the FIWARE Generic Enablers that currently are under the scope of periodical monthly analysis. This data analysis has been developed after the critical issue detected with the Java Library Log4j from which you have received a previous email. The relevance of this email is not only to inform you the security analysis of the docker image that we did these days but also to inform you that some of our FIWARE Ecosystem member, precisely the WATERNET company has decided to dismiss the use of the Cygnus component due to a previous Critical Security Issue related to the CVE-2019-17571 also related to Log4j. This is not a good information and probably other companies might take the same action in production environment, specially if we are talking about critical infrastructure management. They are requesting us to know when should be available a new version to correct this issue. Both CVE-2021-44228 and CVE-2019-17571, are issues identified with high base score (10 and 9.8) and with Severity: Critical, but they are not the only ones... Giving that, I make a data analysis of the last report generated by our tool, specially related to the following FIWARE Generic Enablers: - Cygnus - Draco - IoTAgent-SigFox - Keyrock - Orion-LD - Orion - Stellio API - Stellio Entity Service - Stellio Search Service - Stellio Subscription Service - Stellio Timescale PostGIS - Wilma For all of them you have received each month the security report with the identified vulnerabilities. I have extracted from the report generated yesterday the following analysis focussing in the issues with a base score bigger than 9. For reducing the size of the email, I do not put here all of the identified security issues, but I can provide you if you want. Nevertheless, this is something that can be extracted from the security reports as well. At the moment, I have no identified CVE-2021-44228 on these enablers in the docker image version latest but I have identified the CVE-2019-17571 in Cygnus and Draco. These are not the only one, there are other issues identified as Critical in the reports. Therefore, from the point of view of reputation of the FIWARE Community, we should work to resolve those critical security issues as soon as possible. We expected to extend the analysis to the rest of components in the following weeks with your help. Cygnus [cid:part1.LubT0svT.sEptX0N0 at fiware.org] [cid:part2.YXWcVJnk.11zrBknL at fiware.org] Summary of vulnerabilities of Cygnus Number of vulnerabilities: 1807 Number of vulnerabilities without NVD Data: 0 Number of vulnerabilities with NVD Data: 1807 Number of vulnerabilities with CVSS v2 Base Score > 9: 27 Number of vulnerabilities with CVSS v3 Base Score > 9: 274 Draco [cid:part3.XK0Iqpxk.4pJElR32 at fiware.org] [cid:part4.5gBZ8QIy.3jbxIaRA at fiware.org] Summary of vulnerabilities of Draco Number of vulnerabilities: 263 Number of vulnerabilities without NVD Data: 0 Number of vulnerabilities with NVD Data: 263 Number of vulnerabilities with CVSS v2 Base Score > 9: 1 Number of vulnerabilities with CVSS v3 Base Score > 9: 10 IoTAgent SigFox [cid:part5.C0r0x9Pk.3Z30AJHR at fiware.org] [cid:part6.LPuV0bv1.Chw6dVVb at fiware.org] Summary of vulnerabilities of IoTAgent SigFox Number of vulnerabilities: 31 Number of vulnerabilities without NVD Data: 0 Number of vulnerabilities with NVD Data: 31 Number of vulnerabilities with CVSS v2 Base Score > 9: 2 Number of vulnerabilities with CVSS v3 Base Score > 9: 4 Keyrock [cid:part7.gnJnx2dt.5XnoJosN at fiware.org] [cid:part8.ClkF1q7W.Vh0LnV8c at fiware.org] Summary of vulnerabilities of Keyrock Number of vulnerabilities: 120 Number of vulnerabilities without NVD Data: 4 Number of vulnerabilities with NVD Data: 116 Number of vulnerabilities with CVSS v2 Base Score > 9: 1 Number of vulnerabilities with CVSS v3 Base Score > 9: 17 Orion-LD [cid:part9.xThqLZ8x.0A4mQcjd at fiware.org] [cid:part10.0QS6Ao85.yrOwJcs5 at fiware.org] Summary of vulnerabilities of Orion-LD Number of vulnerabilities: 100 Number of vulnerabilities without NVD Data: 19 Number of vulnerabilities with NVD Data: 81 Number of vulnerabilities with CVSS v2 Base Score > 9: 0 Number of vulnerabilities with CVSS v3 Base Score > 9: 11 Orion [cid:part11.h8yc09BA.2VaHCAeA at fiware.org] [cid:part12.SlkHaHTj.ADBi2SGB at fiware.org] Summary of vulnerabilities of Orion Number of vulnerabilities: 207 Number of vulnerabilities without NVD Data: 22 Number of vulnerabilities with NVD Data: 185 Number of vulnerabilities with CVSS v2 Base Score > 9: 0 Number of vulnerabilities with CVSS v3 Base Score > 9: 18 Stellio API [cid:part13.9BRMNAMG.JDfHrRc8 at fiware.org] [cid:part14.0ZJayQMj.7ZLvEBaL at fiware.org] Summary of vulnerabilities of Stellio API Number of vulnerabilities: 82 Number of vulnerabilities without NVD Data: 1 Number of vulnerabilities with NVD Data: 81 Number of vulnerabilities with CVSS v2 Base Score > 9: 0 Number of vulnerabilities with CVSS v3 Base Score > 9: 10 Stellio Entry Service [cid:part15.AbqVjRPb.4XuiIFcz at fiware.org] [cid:part16.Skbhbq06.XggNPAsU at fiware.org] Summary of vulnerabilities of Stellio Entry Service Number of vulnerabilities: 22 Number of vulnerabilities without NVD Data: 0 Number of vulnerabilities with NVD Data: 22 Number of vulnerabilities with CVSS v2 Base Score > 9: 0 Number of vulnerabilities with CVSS v3 Base Score > 9: 4 Stellio Search Service [cid:part17.RXAS2pYr.0ijXEL1y at fiware.org] [cid:part18.O1GaxZK5.p3KcN89N at fiware.org] Summary of vulnerabilities of Stellio Search Service Number of vulnerabilities: 103 Number of vulnerabilities without NVD Data: 1 Number of vulnerabilities with NVD Data: 102 Number of vulnerabilities with CVSS v2 Base Score > 9: 0 Number of vulnerabilities with CVSS v3 Base Score > 9: 14 Stellio Subscription Service [cid:part19.dFOD0tNI.6v4eOWqe at fiware.org] [cid:part20.BvCIJu5M.yD8dKI8e at fiware.org] Summary of vulnerabilities of Stellio Subscription Service Number of vulnerabilities: 114 Number of vulnerabilities without NVD Data: 1 Number of vulnerabilities with NVD Data: 113 Number of vulnerabilities with CVSS v2 Base Score > 9: 0 Number of vulnerabilities with CVSS v3 Base Score > 9: 17 Stellio Timescale PostGIS [cid:part21.snPmU4gW.RfkX1ECQ at fiware.org] [cid:part22.zkKCay8l.vqmTSJer at fiware.org] Summary of vulnerabilities of Stellio Timescale PostGIS Number of vulnerabilities: 90 Number of vulnerabilities without NVD Data: 3 Number of vulnerabilities with NVD Data: 87 Number of vulnerabilities with CVSS v2 Base Score > 9: 0 Number of vulnerabilities with CVSS v3 Base Score > 9: 4 Wilma [cid:part23.qWPCu0OB.2NAl8aRP at fiware.org] [cid:part24.JHidNBDK.atd0u9fM at fiware.org] Summary of vulnerabilities of Wilma Number of vulnerabilities: 29 Number of vulnerabilities without NVD Data: 0 Number of vulnerabilities with NVD Data: 29 Number of vulnerabilities with CVSS v2 Base Score > 9: 1 Number of vulnerabilities with CVSS v3 Base Score > 9: 2 On 14.12.21 17:10, Jason Fox wrote: As I am sure you are all aware, a new critical vulnerability in Log4j has been discovered which is likely to affect a very wide range of open source software. You can just search for Log4Shell on the internet, but here are a couple of background links for information * https://venturebeat.com/2021/12/10/the-log4j-vulnerability-is-bad-heres-the-good-news/ * https://www.wired.com/story/log4j-log4shell/ Kazuhito Suda has kindly provided a first analysis of likely effect across FIWARE Components. Please check to see if you are affected and update to a patched version as soon as possible. Failure to upgrade in a timely manner is a reputational risk, which is highly likely to damage the perceived trustworthiness of your company and indeed FIWARE as whole. This list should not be considered as comprehensive, everyone should also undertake a risk analysis of your own of course. Please patch and update your software and add a new tagged release of your component. The updated version will automatically be added to the releases branch Of the FIWARE Catalogue. In additionally, the FIWARE Foundation will be labelling a FIWARE 8.2 umbrella release at year end release to ensure the latest patches Batched and are consistently available. The usual FIWARE release notification eMail will appear in due course. Regards, Jason Jason Fox Technical Evangelist Jason.fox at fiware.org<mailto:juanjose.hierro at fiware.org> www.linkedin.com/in/jason-fox-8a79563<https://www.linkedin.com/in/jhierro> [cid:image049.png at 01D7F1DB.FDAB9010] Begin forwarded message: From: <kazuhito at fisuda.jp<mailto:kazuhito at fisuda.jp>> Subject: ***Vulnerability*** Apache Log4j (CVE-2021-44228) Date: 14. December 2021 at 07:41:58 CET To: "'Juanjo Hierro'" <juanjose.hierro at fiware.org<mailto:juanjose.hierro at fiware.org>> Cc: "'Stefano De Panfilis'" <stefano.depanfilis at fiware.org<mailto:stefano.depanfilis at fiware.org>>, "'Jason Fox'" <jason.fox at fiware.org<mailto:jason.fox at fiware.org>> Dear Juanjo, I share you information about a critical vulnerability in Apache Log4j and its impact on FIWARE GEs. On December 9, 2021, Apache software foundation published a critical vulnerability (CVSS score 10.0) in Apache Log4j, a Java logging library. FIWARE GEs written by Java may be affected by this vulnerability. Please have a look at the CVE-2021-44228 in the following link: https://logging.apache.org/log4j/2.x/ The Log4j version 1.x does not have this vulnerability. Because it does not have Lookups feature. But the Log4j version 1.x is a EOL product. I'm running FIWARE instances in the cloud, so I investigated its impact on FIWARE GEs which I use. But please keep in mind that this is not perfect. I hope that FIWARE GE owners will investigate this effect. - Cygnus 2.15.0 Cygnus uses Log4j 1.2.17, so it is not affected by this vulnerability. https://github.com/telefonicaid/fiware-cygnus/blob/master/cygnus-common/pom.xml#L85 https://github.com/telefonicaid/fiware-cygnus/blob/master/cygnus-ngsi/pom.xml#L40 https://github.com/telefonicaid/fiware-cygnus/blob/master/cygnus-ngsi-ld/pom.xml#L41 https://github.com/telefonicaid/fiware-cygnus/blob/master/cygnus-twitter/pom.xml#L42 - Preseo-core Perseo-core uses Log4j 1.2.17, so it is not affected by this vulnerability. https://github.com/telefonicaid/perseo-core/blob/master/perseo-utils/pom.xml#L50 - WireCloud 1.3 WireCloud 1.3 depends on Elasticsearch 2.4. https://github.com/Wirecloud/docker-wirecloud/blob/master/1.3/docker-compose.yml Elasticsearch 2.4 uses Log4j 1.2.17, so it is not affected by this vulnerability. https://github.com/elastic/elasticsearch/blob/2.4/pom.xml#L66 - Draco Draco depends on Apache Nifi. Apache Nifi had this vulnerability and fixed it. Draco may be affected by this vulnerability NIFI-9482 Upgrade Log4j 2 from 2.15.0 to 2.16.0 #5600 https://github.com/apache/nifi/pull/5600 - Quantumleap Quantumleap depends on CrateDB. CrateDB had this vulnerability and fixed it. Quantumleap may be affected by this vulnerability. Update log4j to 2.15.0 (backport #11968) #11970 https://github.com/crate/crate/pull/11970 - Scorpio Scorpio depends on Apache Kafka. But probably Kafka may be not affected by this vulnerability. security - Which version of Kafka are impacted due to log4j CVE-2021-44228? - Stack Overflow<https://stackoverflow.com/questions/70315574/which-version-of-kafka-are-impacted-due-to-log4j-cve-2021-44228> - Knowage Knowage server uses Llog4j 1.2.16, so it is not affected by this vulnerability. https://github.com/KnowageLabs/Knowage-Server/blob/master/knowage-api/pom.xml#L109 - CKAN CKAN depends on Apache Solr. https://solr.apache.org/security.html 2021-12-10, Apache Solr affected by Apache Log4J CVE-2021-44228 Severity: Critical Versions Affected: 7.4.0 to 7.7.3, 8.0.0 to 8.11.0 Best regards, Kazuhito Begin forwarded message: __________________________________________________________________________________________ You can get more information about our cookies and privacy policies on the following links: - https://wiki.fiware.org/FIWARE_Privacy_Policy - https://wiki.fiware.org/Cookies_Policy_FIWARE fiware-technical-committee mailing list fiware-technical-committee at lists.fiware.org<mailto:fiware-technical-committee at lists.fiware.org> To unsubscribe from fiware-technical-committee mailing list, go to the information page of the list at: https://lists.fiware.org/listinfo/fiware-technical-committee -- Fernando López Aguilar FIWARE Cloud & Platform Senior Expert M. +49 1522 2600767 fernando.lopez at fiware.org<mailto:fernando.lopez at fiware.org> www.fiware.org<https://www.fiware.org/> Twitter: @fiware<https://twitter.com/fiware> @flopezaguilar<https://twitter.com/flopezaguilar> [cid:image049.png at 01D7F1DB.FDAB9010] [https://nexus.lab.fiware.org/repository/raw/promo/email_footer.png]<https://nexus.lab.fiware.org/fiware.signature> ________________________________ Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción. The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it. Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211216/636ccd77/attachment-0001.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: image049.png Type: image/png Size: 8201 bytes Desc: image049.png URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211216/636ccd77/attachment-0025.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: image050.png Type: image/png Size: 41214 bytes Desc: image050.png URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211216/636ccd77/attachment-0026.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: image051.png Type: image/png Size: 38880 bytes Desc: image051.png URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211216/636ccd77/attachment-0027.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: image052.png Type: image/png Size: 40927 bytes Desc: image052.png URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211216/636ccd77/attachment-0028.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: image053.png Type: image/png Size: 37587 bytes Desc: image053.png URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211216/636ccd77/attachment-0029.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: image054.png Type: image/png Size: 36283 bytes Desc: image054.png URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211216/636ccd77/attachment-0030.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: image055.png Type: image/png Size: 39280 bytes Desc: image055.png URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211216/636ccd77/attachment-0031.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: image056.png Type: image/png Size: 41118 bytes Desc: image056.png URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211216/636ccd77/attachment-0032.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: image057.png Type: image/png Size: 36514 bytes Desc: image057.png URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211216/636ccd77/attachment-0033.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: image058.png Type: image/png Size: 37675 bytes Desc: image058.png URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211216/636ccd77/attachment-0034.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: image059.png Type: image/png Size: 36050 bytes Desc: image059.png URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211216/636ccd77/attachment-0035.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: image060.png Type: image/png Size: 39231 bytes Desc: image060.png URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211216/636ccd77/attachment-0036.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: image061.png Type: image/png Size: 36814 bytes Desc: image061.png URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211216/636ccd77/attachment-0037.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: image062.png Type: image/png Size: 38929 bytes Desc: image062.png URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211216/636ccd77/attachment-0038.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: image063.png Type: image/png Size: 37394 bytes Desc: image063.png URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211216/636ccd77/attachment-0039.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: image064.png Type: image/png Size: 43244 bytes Desc: image064.png URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211216/636ccd77/attachment-0040.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: image065.png Type: image/png Size: 41632 bytes Desc: image065.png URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211216/636ccd77/attachment-0041.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: image066.png Type: image/png Size: 43751 bytes Desc: image066.png URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211216/636ccd77/attachment-0042.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: image067.png Type: image/png Size: 41269 bytes Desc: image067.png URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211216/636ccd77/attachment-0043.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: image068.png Type: image/png Size: 43447 bytes Desc: image068.png URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211216/636ccd77/attachment-0044.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: image069.png Type: image/png Size: 41601 bytes Desc: image069.png URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211216/636ccd77/attachment-0045.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: image070.png Type: image/png Size: 40042 bytes Desc: image070.png URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211216/636ccd77/attachment-0046.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: image071.png Type: image/png Size: 41434 bytes Desc: image071.png URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211216/636ccd77/attachment-0047.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: image072.png Type: image/png Size: 36680 bytes Desc: image072.png URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211216/636ccd77/attachment-0048.png> -------------- next part -------------- A non-text attachment was scrubbed... Name: image073.png Type: image/png Size: 37592 bytes Desc: image073.png URL: <https://lists.fiware.org/private/fiware-technical-committee/attachments/20211216/636ccd77/attachment-0049.png>
You can get more information about our cookies and privacy policies clicking on the following links: Privacy policy Cookies policy