Does anyone know if Archi is vulnerable because of log4j?
Hi,
From my knowledge of the code and this official communication from eclipse (https://wiki.eclipse.org/Eclipse_and_log4j2_vulnerability_(CVE-2021-44228)), I'd say that Archi is not vulnerable.
Regards,
JB
Short answer: no.
Long answer:
Take a look for yourself...it's all open source...
https://github.com/archimatetool/archi
And if an app or service does use Log4J there are other factors - which version of Log4J is used? How is it configured? How is it used?
And this tweet pretty much sums up my own feelings about this:
https://twitter.com/mmilinkov/status/1470867640969273345
Hi,
In addition to Phil's and I answers, this is only true for our official plugins. If you use third party plugins, then you'll have to check the code yourself or ask gently to their developpers.
Regards,
JB
Thanks a lot,
(by the way, we did make a donation to Archi)
Regards,
RD
Quote from: Rindert Dijkstra on December 16, 2021, 15:46:34 PMThanks a lot,
(by the way, we did make a donation to Archi)
Regards,
RD
My comment wasn't aimed at you in particular.
Hi,
Log4J seems to be included in plugins/org.apache.commons.logging_1.2.0.v20180409-1502.jar.
I do not know the implications of this though or what version of Log4J is included.
BR
Erik
$ unzip -v plugins/org.apache.commons.logging_1.2.0.v20180409-1502.jar
Archive: plugins/org.apache.commons.logging_1.2.0.v20180409-1502.jar
Length Method Size Cmpr Date Time CRC-32 Name
-------- ------ ------- ---- ---------- ----- -------- ----
5998 Defl:N 2395 60% 05-04-2018 13:53 734d8476 META-INF/MANIFEST.MF
4452 Defl:N 1836 59% 05-04-2018 13:53 3350c63d META-INF/ECLIPSE_.SF
7810 Defl:N 5015 36% 05-04-2018 13:53 bdaf68ec META-INF/ECLIPSE_.RSA
0 Defl:N 2 0% 05-04-2018 13:53 00000000 META-INF/
177 Defl:N 126 29% 05-04-2018 13:53 8d3535f6 META-INF/NOTICE.txt
11358 Defl:N 3949 65% 05-04-2018 13:53 86e2b4b4 META-INF/LICENSE.txt
0 Defl:N 2 0% 05-04-2018 13:53 00000000 META-INF/maven/
0 Defl:N 2 0% 05-04-2018 13:53 00000000 META-INF/maven/org.eclipse.orbit.bundles/
0 Defl:N 2 0% 05-04-2018 13:53 00000000 META-INF/maven/org.eclipse.orbit.bundles/org.apache.commons.logging/
811 Defl:N 359 56% 04-09-2018 12:23 6a71df5f META-INF/maven/org.eclipse.orbit.bundles/org.apache.commons.logging/pom.xml
145 Defl:N 134 8% 05-04-2018 13:53 75bb280d META-INF/maven/org.eclipse.orbit.bundles/org.apache.commons.logging/pom.properties
0 Defl:N 2 0% 05-04-2018 13:53 00000000 OSGI-INF/
0 Defl:N 2 0% 05-04-2018 13:53 00000000 OSGI-INF/l10n/
87 Defl:N 79 9% 05-04-2018 13:53 05ad5008 OSGI-INF/l10n/bundle.properties
0 Defl:N 2 0% 05-04-2018 13:53 00000000 about_files/
11358 Defl:N 3949 65% 05-04-2018 13:53 86e2b4b4 about_files/THE_APACHE_SOFTWARE_LICENSE__VERSION_2.0.txt
0 Defl:N 2 0% 05-04-2018 13:53 00000000 org/
0 Defl:N 2 0% 05-04-2018 13:53 00000000 org/apache/
0 Defl:N 2 0% 05-04-2018 13:53 00000000 org/apache/commons/
0 Defl:N 2 0% 05-04-2018 13:53 00000000 org/apache/commons/logging/
0 Defl:N 2 0% 05-04-2018 13:53 00000000 org/apache/commons/logging/impl/
3489 Defl:N 1195 66% 05-04-2018 13:53 cc667b39 org/apache/commons/logging/impl/AvalonLogger.class
9666 Defl:N 4248 56% 05-04-2018 13:53 cae3a660 org/apache/commons/logging/impl/SimpleLog.class
4840 Defl:N 1937 60% 05-04-2018 13:53 9ebae271 org/apache/commons/logging/impl/Log4JLogger.class
5381 Defl:N 2372 56% 05-04-2018 13:53 180e716b org/apache/commons/logging/impl/WeakHashtable.class
1186 Defl:N 543 54% 05-04-2018 13:53 cf5660a9 org/apache/commons/logging/impl/WeakHashtable$1.class
3899 Defl:N 1434 63% 05-04-2018 13:53 7a12493d org/apache/commons/logging/impl/Jdk14Logger.class
2914 Defl:N 1390 52% 05-04-2018 13:53 820be9d5 org/apache/commons/logging/impl/ServletContextCleaner.class
1669 Defl:N 587 65% 05-04-2018 13:53 01a6a705 org/apache/commons/logging/impl/WeakHashtable$WeakKey.class
2055 Defl:N 627 70% 05-04-2018 13:53 ea84645d org/apache/commons/logging/impl/NoOpLog.class
3156 Defl:N 1187 62% 05-04-2018 13:53 1743e159 org/apache/commons/logging/impl/LogKitLogger.class
816 Defl:N 438 46% 05-04-2018 13:53 a50cce2a org/apache/commons/logging/impl/LogFactoryImpl$3.class
596 Defl:N 348 42% 05-04-2018 13:53 f7faba2b org/apache/commons/logging/impl/LogFactoryImpl$1.class
2351 Defl:N 965 59% 05-04-2018 13:53 020d5b27 org/apache/commons/logging/impl/WeakHashtable$Referenced.class
894 Defl:N 516 42% 05-04-2018 13:53 e89ec705 org/apache/commons/logging/impl/SimpleLog$1.class
5216 Defl:N 2139 59% 05-04-2018 13:53 cdfeeaf4 org/apache/commons/logging/impl/Jdk13LumberjackLogger.class
19598 Defl:N 8712 56% 05-04-2018 13:53 44131dba org/apache/commons/logging/impl/LogFactoryImpl.class
759 Defl:N 434 43% 05-04-2018 13:53 53b2b043 org/apache/commons/logging/impl/LogFactoryImpl$2.class
1830 Defl:N 871 52% 05-04-2018 13:53 485c8cd8 org/apache/commons/logging/impl/WeakHashtable$Entry.class
3601 Defl:N 1700 53% 05-04-2018 13:53 cefed88a org/apache/commons/logging/LogSource.class
1420 Defl:N 789 44% 05-04-2018 13:53 aaea4510 org/apache/commons/logging/LogFactory$4.class
831 Defl:N 490 41% 05-04-2018 13:53 d59a717c org/apache/commons/logging/LogFactory$3.class
737 Defl:N 428 42% 05-04-2018 13:53 b80ced43 org/apache/commons/logging/LogFactory$6.class
1295 Defl:N 662 49% 05-04-2018 13:53 f6a34208 org/apache/commons/logging/LogConfigurationException.class
20791 Defl:N 9263 55% 05-04-2018 13:53 03e9495c org/apache/commons/logging/LogFactory.class
1986 Defl:N 1065 46% 05-04-2018 13:53 31e32ecb org/apache/commons/logging/LogFactory$5.class
582 Defl:N 351 40% 05-04-2018 13:53 f63f918b org/apache/commons/logging/LogFactory$1.class
813 Defl:N 442 46% 05-04-2018 13:53 5f073bf9 org/apache/commons/logging/LogFactory$2.class
479 Defl:N 261 46% 05-04-2018 13:53 4b67c39d org/apache/commons/logging/Log.class
3450 Defl:N 1239 64% 05-04-2018 13:53 efafed9a about.html
-------- ------- --- -------
148496 64499 57% 50 files
Some more research:
The Log4J class above seems to be a Log4J client.
Source code for version 1.2.0 of the common logger is located on: https://github.com/apache/commons-logging/blob/bd26f32b9a24e1c5176da719c95203bba09e401c/src/main/java/org/apache/commons/logging/impl/Log4JLogger.java
Looking into the code It seems to be a connector for Log4J version 1.2 and it seems to throw an exception unless version 1.2 is available (but I admit I fail to understand the condition used). Row 78-81.
My interpretation is that the common logger as part of Archi is not a threat but please make your own independent analyses - I am just an egg.
Sorry if I stirred up and emotions with my last mail, just did not want to sit on any vulnerability knowledge on my own.
Hi,
Quote from: ErikR on December 17, 2021, 07:50:41 AMThe Log4J class above seems to be a Log4J client.
Exactly, this is only the "facade" through which Log4J could be used if included, which is not the case.
Regards,
JB
Apache Commons Logging 1.2 comes as standard with Eclipse and so gets shipped with Archi. As JB says above, Eclipse doesn't use Log4J:
https://wiki.eclipse.org/Eclipse_and_log4j2_vulnerability_(CVE-2021-44228)