Re: [Exist-open] log4j2 vulnerability

[Clark, A. <as....@no...>]

(I forgot to say: Kudos to the eXist developers for pushing out the v5.3.1 patch so quickly!)
________________________________
From: Clark, Ash <as....@no...>
Sent: Tuesday, December 14, 2021 4:27 PM
To: Mathias Göbel <go...@su...>; exi...@li... <exi...@li...>
Subject: Re: [Exist-open] log4j2 vulnerability

Hi all,

Tech Services here shared this security notice with me: https://logging.apache.org/log4j/2.x/security.html<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flogging.apache.org%2Flog4j%2F2.x%2Fsecurity.html&data=04%7C01%7Cas.clark%40northeastern.edu%7Cf59d5dcaa5224cc4ce4508d9bf4d2c5b%7Ca8eec281aaa34daeac9b9a398b9215e7%7C0%7C0%7C637751160445315539%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=%2FkXb84SbkdK0F8W9sy6ohEsKpIHRbngS%2BEpDk9htD6Q%3D&reserved=0> Essentially, the Log4J attack vector is wider than previously understood. The previously-reported solutions (including `log4j2.formatMsgNoLookups` and `%m{nolookups}`) are insufficient.

The patch version of eXist (v5.3.1) upgraded Log4J to v2.15.0, but Log4J v2.16 is now recommended. Until the next patch version of eXist is released, either

  *   manually upgrade Log4J to version 2.16.0, or
  *   remove the JNDI lookup class from Log4J, using the command `zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class`.

Hope this helps other people.

Warmly,
Ash


Ash Clark (my pronoun.is/e/em/eir<https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fpronoun.is%2Fe%2Fem%2Feir&data=04%7C01%7Cas.clark%40northeastern.edu%7Cf59d5dcaa5224cc4ce4508d9bf4d2c5b%7Ca8eec281aaa34daeac9b9a398b9215e7%7C0%7C0%7C637751160445325499%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=84MTe2NlXGN6Q7mBqBMD7hhfyPIMtZF2t%2FkxqNKNtS8%3D&reserved=0>)
XML Applications Developer
Digital Scholarship Group
Northeastern University Libraries
as....@no...
(617) 373-5983

________________________________
From: Mathias Göbel <go...@su...>
Sent: Sunday, December 12, 2021 2:17 PM
To: exi...@li... <exi...@li...>
Subject: Re: [Exist-open] log4j2 vulnerability


Hey Juri,

can you explain why adding the system property is not sufficient in the case of existdb? I added the recommended parameter "-Dlog4j2.formatMsgNoLookups" to the $JAVA_OPTS.

Also I guess that setting this parameter as Property in log4j2.xml configuration file might also be one alternative.

best,
Mathias

On 11.12.21 21:32, Juri Leino wrote:
"%m" with "%m{noLookups}"
--
Mathias Göbel
University of Göttingen
c .ivü-ö- Library
D-37070 Göttingen

Research and Development
Papendiek 14 (hist. Building, Room 2.408<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flageplan.uni-goettingen.de%2F%3Fident%3D7209_4_2.OG_2.408&data=04%7C01%7Cas.clark%40northeastern.edu%7Cf59d5dcaa5224cc4ce4508d9bf4d2c5b%7Ca8eec281aaa34daeac9b9a398b9215e7%7C0%7C0%7C637751160445335457%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=bZyG0aNhb%2Bah4F7DLEf1q70tt22b4WFr1GywsUp5TKY%3D&reserved=0>)
+49 551 39-25823 (Tel., Wednesday to Friday)
+49 551 39-33856 (Fax.)

Digital Library
Software and Service Development
Platz der Göttinger Sieben 1 (Central Library, Room 2.129<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flageplan.uni-goettingen.de%2F%3Fident%3D5383_1_2.OG_2.129&data=04%7C01%7Cas.clark%40northeastern.edu%7Cf59d5dcaa5224cc4ce4508d9bf4d2c5b%7Ca8eec281aaa34daeac9b9a398b9215e7%7C0%7C0%7C637751160445345407%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=h3W4rNgJtUqTa41dAjyVjsg1wI8Olv6BDWRwJKkyx3A%3D&reserved=0>)
+49 551 39-10230 (Tel., Monday/Tuesday)

go...@su...<mailto:goebel@sub.uni=
%20%20%20%20%20%20%20%20%20%20-goettingen.de>
http://www.sub.uni-goettingen.de<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.sub.uni-goettingen.de%2Fen%2Fnews%2F&data=04%7C01%7Cas.clark%40northeastern.edu%7Cf59d5dcaa5224cc4ce4508d9bf4d2c5b%7Ca8eec281aaa34daeac9b9a398b9215e7%7C0%7C0%7C637751160445345407%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=%2B2XFsi2NCMDFfITCnKoXhYNB4fd6Fh7jkJbdYU3TD9g%3D&reserved=0>