[Logo] Enterprise Client Community
  [Search] Search   [Recent Topics] Recent Topics   [Members]  Member Listing   [Groups] Back to home page 
[Register] Register / 
[Login] Login 
Log4j - CVE-2021-44228  XML
Forum Index -> Development
Author Message
CaptainCasa

Power User
[Avatar]

Joined: 21/11/2007 12:23:06
Messages: 5510
Offline

We receive. of course, questions about the log4j security problem.

So, here some responses:

1a. CaptainCasa itself does not use log4j in its server part. We decided to use the Java-logging (which is part of the JDK, package java.util.logging.*)

1b. The same is true for our Java-Swing and Java-FX-client implementation. The logging is done through java.util.logging.*.

2. Tomcat also does not use log4j but uses its own variant of the Java-logging. (See e.g. https://tomcat.apache.org/tomcat-8.0-doc/logging.html)

3. When using Maven: in the default pom.xml that we create when using the CC-project archetypes there is the dependency:

Code:
 		<dependency>
 		    <groupId>org.apache.logging.log4j</groupId>
 		    <artifactId>log4j-core</artifactId>
 		    <version>2.8.2</version>
 		</dependency>
 		<dependency>
 		    <groupId>log4j</groupId>
 		    <artifactId>log4j</artifactId>
 		    <version>1.2.17</version>
 		</dependency>
 


We currently cannot find any good reason for having added this - and do not see any active usage - both in our own programs and in libraries that we use. (Log4j is referenced by a dependency from the esapi-library, but this one does not use log4j for its own logging - bur provides secured loggers for log4j.)

So we propose/recommend to be on the very safe side:

1. take out the direct log4j dependencies
2. update the esapi dependency so that it excludes log4j:

Code:
 		<!-- put comments around the log4j section -->
 		<!--  
 		<dependency>
 		    <groupId>org.apache.logging.log4j</groupId>
 		    <artifactId>log4j-core</artifactId>
 		    <version>2.8.2</version>
 		</dependency>
 		<dependency>
 		    <groupId>log4j</groupId>
 		    <artifactId>log4j</artifactId>
 		    <version>1.2.17</version>
 		</dependency>
 		-->
 
 		<!-- exclude log4j -->
 		<dependency>
 		    <groupId>org.owasp.esapi</groupId>
 		    <artifactId>esapi</artifactId>
 		    <version>2.1.0.1</version>
 		    <exclusions>
 		    	<exclusion>
 		    		<groupId>log4j</groupId>
 		    		<artifactId>log4j</artifactId>
 		    	</exclusion>
 		    </exclusions>
 		</dependency>
 
 


Of course your own implementations might use log4j. So issue 1. only is valid, if not using log4j in your own implementations!


We will continue to update this message, of course....

Kind regards! Björn

Björn Müller, CaptainCasa GmbH
CaptainCasa

Power User
[Avatar]

Joined: 21/11/2007 12:23:06
Messages: 5510
Offline

Hi,

please note: the bug in log4j was cause by some log4j-JNDI lookup feature which was introduced in version 2 of log4j.

So version 1.* of log4j is "safe" when it comes to the CVE-2021-44228 bug! (There are other issues with version 1.*, too - but not the "hot one".)

Kind regards! Björn

Björn Müller, CaptainCasa GmbH
CaptainCasa

Power User
[Avatar]

Joined: 21/11/2007 12:23:06
Messages: 5510
Offline

We just got the question: "In the Swing Client there is a commons-logging.jar". What is this, is this maybe the same as log4j?

Response is: commons-logging.jar is a thin abstraction layer in front of logging frameworks (so that applications log against commons-logging and not directly work with the API of the concrete logging framework.

So: commons-logging.jar is not related with the log4j problem.

Kind regards! Björn

Björn Müller, CaptainCasa GmbH
heyl

Power User

Joined: 10/01/2008 09:41:55
Messages: 266
Location: Ettlingen
Offline

Hi Björn,

happy new year to you and your team and everyone reading this post

Will you remove/exclude log4j from the POM in a future release of eclntjsfserver?

Best regards
Frauke
CaptainCasa

Power User
[Avatar]

Joined: 21/11/2007 12:23:06
Messages: 5510
Offline

Hi Frauke,

happy new year to you as well! ;-)
...we removed it immediately from out project archetypes.

Kind regards! Björn

Björn Müller, CaptainCasa GmbH
heyl

Power User

Joined: 10/01/2008 09:41:55
Messages: 266
Location: Ettlingen
Offline

Thanks, Björn!

But we are not using the project archetypes, but get the POM directly from your Maven repository. And there it's not yet removed.

For example:
https://www.captaincasademo.com/mavenrepository/org/eclnt/eclntjsfserver/20211217/eclntjsfserver-20211217.pom

Will that also be corrected in the next version?

Best regards
Frauke

CaptainCasa

Power User
[Avatar]

Joined: 21/11/2007 12:23:06
Messages: 5510
Offline

Hi Frauke,

you are right, of course... - thanks for the hint!
The updated pom.xml files will be part of this week's update. (Hopefully this evening, but I am not 100% sure...).

Thanks + Kind regards! Björn

Björn Müller, CaptainCasa GmbH
 
Forum Index -> Development
Go to:   
Powered by JForum 2.1.6 © JForum Team