JAL-3933: Use of log4j and mitigation of critical alert "Apache Log4j 2...

Activity

CR-JAL-255 0

Keyboard shortcuts  
  • Summarize the review outcomes (optional)
     
    #permalink

    Details

    Warning: no files are visible, they have all been filtered.
    Participant Role Time Spent Comments Latest Comment
    Author      
    Total   0m 0  
    #permalink

    Objectives

    https://www.ncsc.gov.uk/news/apache-log4j-vulnerability
    https://logging.apache.org/log4j/2.x/security.html
    describe the "Log4Shell" vulnerability found in log4j versions 2.0beta9 through to all versions below 2.14.1.

    Log4j is found in some jars that Jalview packages, though it is not certain yet which version or in what configuration these classes are used (possibly not at all).

    Running
    cd j8lib; for x in *.jar; do G=$(unzip -t $x | grep org/apache/log4j | sed -e 's/^ *testing: //;s/ *OK$//;'); [ "$G" != "" ] && echo $x && echo – && for c in $G; do echo $c; done && echo ==; done > list
    produces the attached list.

    Investigations continue.

    Proposed remediation: log4j is replaced with either fixed version or stripped out completely (if this does not break anything) and a 2.11.1.5 release is put on the release channel immediately.

    Branches in review

    #permalink

    Issues Raised From Comments

    Key Summary State Assignee
    #permalink

    General Comments

    There are no general comments on this review.
    /j11lib/Jmol-14.31.53.jar Deleted
    Open in IDE #permalink
    /j11lib/Jmol-NO_LOG4J-14.31.53.jar Added
    Open in IDE #permalink
    /j11lib/jabaws-min-client-2.2.0.jar Deleted
    Open in IDE #permalink
    /j11lib/jabaws-min-client-2.2.0.jar Deleted
    Open in IDE #permalink
    /j11lib/jabaws-min-client-NO_LOG4J-2.2.0.jar Added
    Open in IDE #permalink
    /j11lib/jabaws-min-client-NO_LOG4J-2.2.0.jar Added
    Open in IDE #permalink
    /j11lib/log4j-1.2-api-2.16.0.jar Added
    Open in IDE #permalink
    /j11lib/log4j-1.2-api-2.16.0.jar Added
    Open in IDE #permalink
    /j11lib/log4j-api-2.16.0.jar Added
    Open in IDE #permalink
    /j11lib/log4j-api-2.16.0.jar Added
    Open in IDE #permalink
    /j11lib/log4j-core-2.16.0.jar Added
    Open in IDE #permalink
    /j11lib/log4j-core-2.16.0.jar Added
    Open in IDE #permalink
    /j11lib/log4j-slf4j18-impl-2.16.0.jar Added
    Open in IDE #permalink
    /j11lib/log4j-slf4j18-impl-2.16.0.jar Added
    Open in IDE #permalink
    /j11lib/log4j-to-slf4j-2.0-rc2.jar Deleted
    Open in IDE #permalink
    /j11lib/log4j-to-slf4j-2.0-rc2.jar Deleted
    Open in IDE #permalink
    /j11lib/slf4j-api-1.7.26.jar Deleted
    Open in IDE #permalink
    /j11lib/slf4j-api-1.7.26.jar Deleted
    Open in IDE #permalink
    /j11lib/slf4j-api-1.7.32.jar Added
    Open in IDE #permalink
    /j11lib/slf4j-api-1.7.32.jar Added
    Open in IDE #permalink
    /j11lib/slf4j-log4j12-1.7.26.jar Deleted
    Open in IDE #permalink
    /j11lib/slf4j-log4j12-1.7.26.jar Deleted
    Open in IDE #permalink
    /j11lib/slf4j-log4j12-1.7.32.jar Added
    Open in IDE #permalink
    /j11lib/slf4j-log4j12-1.7.32.jar Added
    Open in IDE #permalink
    /j8lib/Jmol-14.31.53.jar Deleted
    Open in IDE #permalink
    /j8lib/Jmol-NO_LOG4J-14.31.53.jar Added
    Open in IDE #permalink
    /j8lib/jabaws-min-client-2.2.0.jar Deleted
    Open in IDE #permalink
    /j8lib/jabaws-min-client-2.2.0.jar Deleted
    Open in IDE #permalink
    /j8lib/jabaws-min-client-NO_LOG4J-2.2.0.jar Added
    Open in IDE #permalink
    /j8lib/jabaws-min-client-NO_LOG4J-2.2.0.jar Added
    Open in IDE #permalink
    /j8lib/log4j-1.2-api-2.16.0.jar Added
    Open in IDE #permalink
    /j8lib/log4j-1.2-api-2.16.0.jar Added
    Open in IDE #permalink
    /j8lib/log4j-api-2.16.0.jar Added
    Open in IDE #permalink
    /j8lib/log4j-api-2.16.0.jar Added
    Open in IDE #permalink
    /j8lib/log4j-core-2.16.0.jar Added
    Open in IDE #permalink
    /j8lib/log4j-core-2.16.0.jar Added
    Open in IDE #permalink
    /j8lib/log4j-slf4j18-impl-2.16.0.jar Added
    Open in IDE #permalink
    /j8lib/log4j-slf4j18-impl-2.16.0.jar Added
    Open in IDE #permalink
    /j8lib/log4j-to-slf4j-2.0-rc2.jar Deleted
    Open in IDE #permalink
    /j8lib/log4j-to-slf4j-2.0-rc2.jar Deleted
    Open in IDE #permalink
    /j8lib/slf4j-api-1.7.26.jar Deleted
    Open in IDE #permalink
    /j8lib/slf4j-api-1.7.32.jar Added
    Open in IDE #permalink
    /j8lib/slf4j-api-1.7.32.jar Added
    Open in IDE #permalink
    /j8lib/slf4j-api-1.7.7.jar Deleted
    Open in IDE #permalink
    /j8lib/slf4j-api-1.7.7.jar Deleted
    Open in IDE #permalink
    /j8lib/slf4j-log4j12-1.7.26.jar Deleted
    Open in IDE #permalink
    /j8lib/slf4j-log4j12-1.7.32.jar Added
    Open in IDE #permalink
    /j8lib/slf4j-log4j12-1.7.32.jar Added
    Open in IDE #permalink
    /j8lib/slf4j-log4j12-1.7.7.jar Deleted
    Open in IDE #permalink
    /j8lib/slf4j-log4j12-1.7.7.jar Deleted
    Open in IDE #permalink
    /src/jalview/bin/Cache.java Changed
    /src/jalview/bin/Cache.java Changed
    /src/jalview/javascript/log4j/Layout.java Changed
    Open in IDE #permalink

    Review updated: Reload | Ignore | Collapse

    You cannot reload the review while writing a comment.

    Log time against