Details
Critical Description
https://www.ncsc.gov.uk/news/apache-log4j-vulnerability
https://logging.apache.org/log4j/2.x/security.html
describe the "Log4Shell" vulnerability found in log4j versions 2.0beta9 through to all versions up to 2.14.1.
Log4j is found in some jars that Jalview packages, though it is not certain yet which version or in what configuration these classes are used (possibly not at all).
Running
cd j8lib; for x in *.jar; do G=$(unzip -t $x | grep org/apache/log4j | sed -e 's/^ *testing: //;s/ *OK$//;'); [ "$G" != "" ] && echo $x && echo -- && for c in $G; do echo $c; done && echo ==; done > list
produces the attached list.
Investigations continue.
Proposed remediation: log4j is replaced with either fixed version or stripped out completely (if this does not break anything) and a 2.11.1.5 release is put on the release channel immediately.
https://logging.apache.org/log4j/2.x/security.html
describe the "Log4Shell" vulnerability found in log4j versions 2.0beta9 through to all versions up to 2.14.1.
Log4j is found in some jars that Jalview packages, though it is not certain yet which version or in what configuration these classes are used (possibly not at all).
Running
cd j8lib; for x in *.jar; do G=$(unzip -t $x | grep org/apache/log4j | sed -e 's/^ *testing: //;s/ *OK$//;'); [ "$G" != "" ] && echo $x && echo -- && for c in $G; do echo $c; done && echo ==; done > list
produces the attached list.
Investigations continue.
Proposed remediation: log4j is replaced with either fixed version or stripped out completely (if this does not break anything) and a 2.11.1.5 release is put on the release channel immediately.
Attachments
Issue Links
- related with
-
JAL-3949 Standard out logging broken: messages only routing to stderr and appear as a raw template
-
- Closed
-