A search on our open meetings server (6.2.0) for apache log4j
vulnerabilities:
find / -type f -print0 |xargs -n1 -0 zipgrep -i log4j2 2>/dev/null
produced these results:
com/hazelcast/logging/Logger.class:Binary file (standard input)
matches
com/hazelcast/logging/Log4j2Factory$Log4j2Logger.class:Binary file
(standard input) matches
com/hazelcast/logging/Log4j2Factory.class:Binary file (standard
input) matches
META-INF/maven/com.hazelcast/hazelcast/pom.xml:Â Â Â Â Â Â
<version>${log4j2.version}</version>
META-INF/maven/com.hazelcast/hazelcast/pom.xml:Â Â Â Â Â Â
<version>${log4j2.version}</version>
io/netty/util/internal/logging/Log4J2Logger$2.class:Binary file
(standard input) matches
io/netty/util/internal/logging/Log4J2Logger.class:Binary file
(standard input) matches
io/netty/util/internal/logging/Log4J2LoggerFactory.class:Binary file
(standard input) matches
io/netty/util/internal/logging/Log4J2Logger$1.class:Binary file
(standard input) matches
io/netty/util/internal/logging/InternalLoggerFactory.class:Binary
file (standard input) matches
com/mchange/v2/log/MLog$1.class:Binary file (standard input) matches
com/mchange/v2/log/log4j2/MLogAppender.class:Binary file (standard
input) matches
com/mchange/v2/log/log4j2/Log4j2MLog$Log4jMLogger.class:Binary file
(standard input) matches
com/mchange/v2/log/MLogClasses.class:Binary file (standard input)
matches
com/mchange/v2/log/log4j2/Log4j2MLog.class:Binary file (standard
input) matches
META-INF/maven/slf4j-configuration.properties:org.apache.logging.slf4j.Log4jLoggerFactory
org.apache.maven.cli.logging.impl.Log4j2Configuration
org/apache/maven/cli/logging/impl/Log4j2Configuration$1.class:Binary
file (standard input) matches
org/apache/maven/cli/logging/impl/Log4j2Configuration.class:Binary
file (standard input) matches
This is 6.2.0 which hasn't changed in months. Can you be sure that
there isn't a problem in 6.2.0 ?
Best,
Ed
Le 2021-12-13 01:50, Maxim Solodovnik a écrit :
Yes,
We are not affected
To get most updated version you can use latest SNAPSHOT :)
from mobile (sorry for typos ;)
On Mon, Dec 13, 2021, 04:21 Thomas Scholzen <tschol...@buche17.de>
wrote:
Hi Sebastian,
thank you for your assessment and quick response.
Best regards,
Thomas
Am 12.12.21 um 22:05 schrieb seba.wag...@gmail.com:
Afaik we are not using the native log4j library. I think the
vulnerability is only in the actual log4j.jar file.
log4j-over-slf4j is merely a bridge that mimics log4j APIs in order
to redirect the log stream into slf4j without rewriting the existing
log4j logging statements. The bridge ensures old dependencies that
have not been migrated to SLF4J can work with Openmeetings.
So OpenMeetings is not using or distributing the native log4j JAR
library. Also the Tomat version we are using that bundles
OpenMeetings into a Java Servlet Container is not affected since
it's not using the native log4j jar file.
So as far as I can see this vulnerability should not impact
OpenMeetings.
However OpenMeetings regularly ships updates with the latest
libraries and dependencies, so if you are not using the latest
version, you should update. There have been other CVE's fixed in
recent versions.
Thanks
Sebastian
Sebastian Wagner
Director Arrakeen Solutions, OM-Hosting.com
http://arrakeen-solutions.co.nz/
https://om-hosting.com - Cloud & Server Hosting for HTML5
Video-Conferencing OpenMeetings
[1] [2]
On Mon, 13 Dec 2021 at 07:29, Thomas Scholzen <tschol...@buche17.de>
wrote:
Openmeetings has, among others, the following dependencies:
log4j-over-slf4j-1.7.32.jar
slf4j-api-1.7.32.jar
jcl-over-slf4j-1.7.32.jar
Does anyone know, whether these are affected by the log4j
vulnerability CVE-2021-44228 and have to be updated?
Thanks,
Thomas
Links:
------
[1]
https://www.youracclaim.com/badges/da4e8828-743d-4968-af6f-49033f10d60a/public_url
[2]
https://www.youracclaim.com/badges/b7e709c6-aa87-4b02-9faf-099038475e36/public_url
