Are we safe from log4j vulnerability
Are we safe from log4j vulnerability
As the subject says. Don’t know much about Java-out of my depth - here but I just received an alert from the wordfence people (worfence protects my Wordpress sites)
Rocketman
V8.7 Developer Edition. Server 2016 Standard edition. MySql 5.5
V8.7 Developer Edition. Server 2016 Standard edition. MySql 5.5
Re: Are we safe from log4j vulnerability
Hi all,
Some good information on it. I trust support will have a look at it to see if we are vulnerable and hopefully release an update with the new version. We are busy running vulnerability scans now to confirm.
https://www.rapid7.com/blog/post/2021/1 ... che-log4j/
Some good information on it. I trust support will have a look at it to see if we are vulnerable and hopefully release an update with the new version. We are busy running vulnerability scans now to confirm.
https://www.rapid7.com/blog/post/2021/1 ... che-log4j/
Re: Are we safe from log4j vulnerability
Yes, We also looking into this and upgrading the necessary jars files. It looks like aware currently shipping a quite old version (1.2) and we are upgrading our system with latest 2.15 (which include this bug fix too).
there are two jars which need to placed under lib folder.
log4j-api-2.15.0.jar
log4j-core-2.15.0.jar
and remove the old one log4j1.2.jar
Hopefully, In future aware will bundle latest jars must be updated.
there are two jars which need to placed under lib folder.
log4j-api-2.15.0.jar
log4j-core-2.15.0.jar
and remove the old one log4j1.2.jar
Hopefully, In future aware will bundle latest jars must be updated.
From,
Himanshu Jain
AwareIM Consultant (since version 4.0)
OS: Windows 10.0, Mac
DB: MYSQL, MSSQL
Himanshu Jain
AwareIM Consultant (since version 4.0)
OS: Windows 10.0, Mac
DB: MYSQL, MSSQL
Re: Are we safe from log4j vulnerability
applies to us ONLY if this is true?
"According to Apache’s advisory, all Apache Log4j (version 2.x) versions up to 2.14.1 are vulnerable if message lookup substitution was enabled."
1) Himanshu said we are Version 1.2. So we are not even using an Affected version?
2) Do we know if this even applies to our aware installs? It also says this:
"According to a translated technical blog post, JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1 are not affected by the LDAP attack vector."
So easy instructions posted here should tell us how to easily check which JDK is installed. It may not affect us.
"According to Apache’s advisory, all Apache Log4j (version 2.x) versions up to 2.14.1 are vulnerable if message lookup substitution was enabled."
1) Himanshu said we are Version 1.2. So we are not even using an Affected version?
2) Do we know if this even applies to our aware installs? It also says this:
"According to a translated technical blog post, JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1 are not affected by the LDAP attack vector."
So easy instructions posted here should tell us how to easily check which JDK is installed. It may not affect us.
Click Here to see a collection of my tips & hacks on this forum. Or search for "JaymerTip" in the search bar at the top.
Jaymer
Aware Programming & Consulting - Tampa FL
Jaymer
Aware Programming & Consulting - Tampa FL
Re: Are we safe from log4j vulnerability
Latest AwareIM version uses Java 12.x and I do not found any harm to be updated with latest lib.
Apache Log4j 2 is an upgrade to Log4j that provides significant improvements over its predecessor, Log4j 1.x, and provides many of the improvements available in Logback while fixing some inherent problems in Logback’s architecture.
Apache Log4j 2 is an upgrade to Log4j that provides significant improvements over its predecessor, Log4j 1.x, and provides many of the improvements available in Logback while fixing some inherent problems in Logback’s architecture.
From,
Himanshu Jain
AwareIM Consultant (since version 4.0)
OS: Windows 10.0, Mac
DB: MYSQL, MSSQL
Himanshu Jain
AwareIM Consultant (since version 4.0)
OS: Windows 10.0, Mac
DB: MYSQL, MSSQL
-
- Posts: 7565
- Joined: Sun Apr 24, 2005 12:36 am
- Contact:
Re: Are we safe from log4j vulnerability
We do not think that this vulnerability affects Aware IM applications, but to be safe we will be testing Aware IM with the new version. If everything is OK we will include the new library in the official distribution.
In the meantime feel free to replace the old jar manually as Himanshu suggests.
In the meantime feel free to replace the old jar manually as Himanshu suggests.
Aware IM Support Team
Reasons to upgrade from Log4j 1.x to Log4j 2
Might be useful to read..
Update: since August 2015, Log4j 1.x is officially End of Life and it is recommended to upgrade to Log4j 2. Update 2: Log4j 1.2 is broken in Java 9.
Update: since August 2015, Log4j 1.x is officially End of Life and it is recommended to upgrade to Log4j 2. Update 2: Log4j 1.2 is broken in Java 9.
- Community support: Log4j 1.x is not actively maintained, whereas Log4j 2 has an active community where questions are answered, features are added and bugs are fixed.
- Async Loggers - performance similar to logging switched off
- Custom log levels
- Automatically reload its configuration upon modification without losing log events while reconfiguring.
- Java 8-style lambda support for lazy logging
- Log4j 2 is garbage-free (or at least low-garbage) since version 2.6
- Filtering: filtering based on context data, markers, regular expressions, and other components in the Log event. Filters can be associated with Loggers. You can use a common Filter class in any of these circumstances.
- Plugin Architecture - easy to extend by building custom components
- Supported APIs: SLF4J, Commons Logging, Log4j-1.x and java.util.logging
- Log4j 2 API separate from the Log4j 2 implementation. API supports more than just logging Strings: CharSequences, Objects and custom Messages. Messages allow support for interesting and complex constructs to be passed through the logging system and be efficiently manipulated. Users are free to create their own Message types and write custom Layouts, Filters and Lookups to manipulate them.
- Concurrency improvements: log4j2 uses java.util.concurrent libraries to perform locking at the lowest level possible. Log4j-1.x has known deadlock issues.
- Configuration via XML, JSON, YAML, properties configuration files or programmatically.
- log4j2.xml and log4j2.properties formats are different from the Log4j 1.2 configuration syntax
Log4j 2 is not fully compatible with Log4j 1.x: The Log4j 1.2 API is supported by the log4j-1.2-api adapter but customizations that rely on Log4j 1.2 internals may not work.
Java 6 required for version 2.0 to 2.3. Java 7 is required for Log4j 2.4 and later.
From,
Himanshu Jain
AwareIM Consultant (since version 4.0)
OS: Windows 10.0, Mac
DB: MYSQL, MSSQL
Himanshu Jain
AwareIM Consultant (since version 4.0)
OS: Windows 10.0, Mac
DB: MYSQL, MSSQL
Re: Are we safe from log4j vulnerability
As the fun never stops at just one vulnerability, a second has been found with Log4J.
2.16.0 is now the recommendation.
https://cve.mitre.org/cgi-bin/cvename.c ... 2021-45046
2.16.0 is now the recommendation.
https://cve.mitre.org/cgi-bin/cvename.c ... 2021-45046
Avid Linux user....
Re: Are we safe from log4j vulnerability
fine, but where exactly do we get this new file?
Click Here to see a collection of my tips & hacks on this forum. Or search for "JaymerTip" in the search bar at the top.
Jaymer
Aware Programming & Consulting - Tampa FL
Jaymer
Aware Programming & Consulting - Tampa FL
Re: Are we safe from log4j vulnerability
You can download it from https://logging.apache.org/log4j/2.x/download.html directly
Regards,
Suwandy
-----------------
Kisaran - Indonesia
Suwandy
-----------------
Kisaran - Indonesia
Re: Are we safe from log4j vulnerability
You can verify issues using the log4j-detector
https://github.com/mergebase/log4j-detector
Simple to use
Usage: java -jar log4j-detector-2021.12.15.jar [--verbose] [paths to scan...]
EG:
C:\AwareIM\JDK\bin\java -jar log4j-detector-2021.12.15.jar C:\AwareIM
You should get something like this
C:\AwareIM\ConfigTool\eclipse\plugins\com.awaresoft.awareim.shared_1.0.0\activemq-all-5.8.0.jar contains Log4J-1.x <= 1.2.17 _OLD_
C:\AwareIM\CP\eclipse\plugins\com.awaresoft.awareim.shared_1.0.0\activemq-all-5.8.0.jar contains Log4J-1.x <= 1.2.17 _OLD_
C:\AwareIM\lib\activemq-all-5.8.0.jar contains Log4J-1.x <= 1.2.17 _OLD_
C:\AwareIM\Tomcat\webapps\AwareIM\WEB-INF\lib\activemq-all-5.8.0.jar contains Log4J-1.x <= 1.2.17 _OLD_
C:\AwareIM\Tomcat\webapps\AwareIM\WEB-INF\lib\log4j-1.2.8.jar contains Log4J-1.x <= 1.2.17 _OLD_
C:\AwareIM\VAR\binlinux\CP\eclipse\plugins\com.awaresoft.awareim.shared_1.0.0\activemq-all-5.8.0.jar contains Log4J-1.x <= 1.2.17 _OLD_
C:\AwareIM\VAR\binmac\CP\Eclipse\plugins\com.awaresoft.awareim.shared_1.0.0\activemq-all-5.8.0.jar contains Log4J-1.x <= 1.2.17 _OLD_
C:\AwareIM\VAR\binwin\CP\eclipse\plugins\com.awaresoft.awareim.shared_1.0.0\activemq-all-5.8.0.jar contains Log4J-1.x <= 1.2.17 _OLD_
https://github.com/mergebase/log4j-detector
Simple to use
Usage: java -jar log4j-detector-2021.12.15.jar [--verbose] [paths to scan...]
EG:
C:\AwareIM\JDK\bin\java -jar log4j-detector-2021.12.15.jar C:\AwareIM
You should get something like this
C:\AwareIM\ConfigTool\eclipse\plugins\com.awaresoft.awareim.shared_1.0.0\activemq-all-5.8.0.jar contains Log4J-1.x <= 1.2.17 _OLD_
C:\AwareIM\CP\eclipse\plugins\com.awaresoft.awareim.shared_1.0.0\activemq-all-5.8.0.jar contains Log4J-1.x <= 1.2.17 _OLD_
C:\AwareIM\lib\activemq-all-5.8.0.jar contains Log4J-1.x <= 1.2.17 _OLD_
C:\AwareIM\Tomcat\webapps\AwareIM\WEB-INF\lib\activemq-all-5.8.0.jar contains Log4J-1.x <= 1.2.17 _OLD_
C:\AwareIM\Tomcat\webapps\AwareIM\WEB-INF\lib\log4j-1.2.8.jar contains Log4J-1.x <= 1.2.17 _OLD_
C:\AwareIM\VAR\binlinux\CP\eclipse\plugins\com.awaresoft.awareim.shared_1.0.0\activemq-all-5.8.0.jar contains Log4J-1.x <= 1.2.17 _OLD_
C:\AwareIM\VAR\binmac\CP\Eclipse\plugins\com.awaresoft.awareim.shared_1.0.0\activemq-all-5.8.0.jar contains Log4J-1.x <= 1.2.17 _OLD_
C:\AwareIM\VAR\binwin\CP\eclipse\plugins\com.awaresoft.awareim.shared_1.0.0\activemq-all-5.8.0.jar contains Log4J-1.x <= 1.2.17 _OLD_
AwareIM 9.0
MySQL, MSSQL
MS Server
Australia
MySQL, MSSQL
MS Server
Australia
-
- Posts: 1473
- Joined: Tue Jan 24, 2017 5:51 am
- Location: 'Stralya
Log4J v2.17
Be aware that following the release of 2.15 the fix was determined as incomplete and 2.16 was released.
Then another issue was identified in 2.16 so 2.17. has been released
Then another issue was identified in 2.16 so 2.17. has been released
Re: Are we safe from log4j vulnerability
Avid Linux user....