Autoplot / Bugs / #2420 Verify that CVE-2021-44228 (Log4J) does not affect Autoplot

Autoplot is an interactive browser for data on the web

#2420 Verify that CVE-2021-44228 (Log4J) does not affect Autoplot

Milestone: nextrelease

Status: open-fixed

Owner: nobody

Labels: None

Priority: 5

Updated: 2021-12-11

Created: 2021-12-11

Creator: Jeremy Faden

Private: No

Verify that CVE-2021-44228 does not affect Autoplot. Autoplot uses Java's logging system, but it may use libraries that use this logging system, and files could be crafted to trick these codes to log messages.

Discussion

Jeremy Faden - 2021-12-11

I do not believe Autoplot could be affected by this. The codes that use Log4J use a very old version of it. See https://github.com/autoplot/dev/blob/master/demos/2021/20211210/demoApacheLog4j.jy
which shows that the c2013 version's path, org.apache.log4j, is not found within Autoplot.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Jeremy Faden - 2021-12-11

status: open --> open-fixed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Jeremy Faden - 2021-12-11

Another nice resource: https://www.lunasec.io/docs/blog/log4j-zero-day/

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Verify that CVE-2021-44228 (Log4J) does not affect Autoplot

Autoplot is an interactive browser for data on the web

Group

Searches

Help

#2420 Verify that CVE-2021-44228 (Log4J) does not affect Autoplot

Discussion