Uploaded image for project: 'Jalview'
  1. Jalview
  2. JAL-3933

Use of log4j and mitigation of critical alert "Apache Log4j 2 vulnerability (CVE-2021-44228)"

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 2.11.1.4, 2.11.1.5, 2.11.1.6
    • Fix Version/s: 2.11.1.5, 2.11.2, 2.11.2.0
    • Component/s: java8
    • Labels:
      None

      Description

      https://www.ncsc.gov.uk/news/apache-log4j-vulnerability
      https://logging.apache.org/log4j/2.x/security.html
      describe the "Log4Shell" vulnerability found in log4j versions 2.0beta9 through to all versions up to 2.14.1.

      Log4j is found in some jars that Jalview packages, though it is not certain yet which version or in what configuration these classes are used (possibly not at all).

      Running
      cd j8lib; for x in *.jar; do G=$(unzip -t $x | grep org/apache/log4j | sed -e 's/^ *testing: //;s/ *OK$//;'); [ "$G" != "" ] && echo $x && echo -- && for c in $G; do echo $c; done && echo ==; done > list
      produces the attached list.

      Investigations continue.

      Proposed remediation: log4j is replaced with either fixed version or stripped out completely (if this does not break anything) and a 2.11.1.5 release is put on the release channel immediately.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              soares Ben Soares
              Reporter:
              soares Ben Soares
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: