Log4j Vulnerability

Started by Rindert Dijkstra, December 16, 2021, 15:15:31 PM

Previous topic - Next topic

Rindert Dijkstra

Does anyone know if Archi is vulnerable because of log4j?

Jean-Baptiste Sarrodie

Hi,

From my knowledge of the code and this official communication from eclipse, I'd say that Archi is not vulnerable.

Regards,

JB
If you value and use Archi, please consider making a donation!
Ask your ArchiMate related questions to the ArchiMate Community's Discussion Board.

Phil Beauvoir

Short answer: no.

Long answer:

Take a look for yourself...it's all open source...

https://github.com/archimatetool/archi

And if an app or service does use Log4J there are other factors - which version of Log4J is used? How is it configured? How is it used?

And this tweet pretty much sums up my own feelings about this:

https://twitter.com/mmilinkov/status/1470867640969273345
If you value and use Archi, please consider making a donation!
Ask your ArchiMate related questions to the ArchiMate Community's Discussion Board.

Jean-Baptiste Sarrodie

Hi,

In addition to Phil's and I answers, this is only true for our official plugins. If you use third party plugins, then you'll have to check the code yourself or ask gently to their developpers.

Regards,

JB
If you value and use Archi, please consider making a donation!
Ask your ArchiMate related questions to the ArchiMate Community's Discussion Board.

Rindert Dijkstra

Thanks a lot,
(by the way, we did make a donation to Archi)
Regards,
RD

Phil Beauvoir

#5
Quote from: Rindert Dijkstra on December 16, 2021, 15:46:34 PMThanks a lot,
(by the way, we did make a donation to Archi)
Regards,
RD

My comment wasn't aimed at you in particular.
If you value and use Archi, please consider making a donation!
Ask your ArchiMate related questions to the ArchiMate Community's Discussion Board.

ErikR

Hi,

Log4J seems to be included in plugins/org.apache.commons.logging_1.2.0.v20180409-1502.jar.

I do not know the implications of this though or what version of Log4J is included.

BR
Erik


$ unzip -v plugins/org.apache.commons.logging_1.2.0.v20180409-1502.jar
Archive:  plugins/org.apache.commons.logging_1.2.0.v20180409-1502.jar
 Length   Method    Size  Cmpr    Date    Time   CRC-32   Name
--------  ------  ------- ---- ---------- ----- --------  ----
    5998  Defl:N     2395  60% 05-04-2018 13:53 734d8476  META-INF/MANIFEST.MF
    4452  Defl:N     1836  59% 05-04-2018 13:53 3350c63d  META-INF/ECLIPSE_.SF
    7810  Defl:N     5015  36% 05-04-2018 13:53 bdaf68ec  META-INF/ECLIPSE_.RSA
       0  Defl:N        2   0% 05-04-2018 13:53 00000000  META-INF/
     177  Defl:N      126  29% 05-04-2018 13:53 8d3535f6  META-INF/NOTICE.txt
   11358  Defl:N     3949  65% 05-04-2018 13:53 86e2b4b4  META-INF/LICENSE.txt
       0  Defl:N        2   0% 05-04-2018 13:53 00000000  META-INF/maven/
       0  Defl:N        2   0% 05-04-2018 13:53 00000000  META-INF/maven/org.eclipse.orbit.bundles/
       0  Defl:N        2   0% 05-04-2018 13:53 00000000  META-INF/maven/org.eclipse.orbit.bundles/org.apache.commons.logging/
     811  Defl:N      359  56% 04-09-2018 12:23 6a71df5f  META-INF/maven/org.eclipse.orbit.bundles/org.apache.commons.logging/pom.xml
     145  Defl:N      134   8% 05-04-2018 13:53 75bb280d  META-INF/maven/org.eclipse.orbit.bundles/org.apache.commons.logging/pom.properties
       0  Defl:N        2   0% 05-04-2018 13:53 00000000  OSGI-INF/
       0  Defl:N        2   0% 05-04-2018 13:53 00000000  OSGI-INF/l10n/
      87  Defl:N       79   9% 05-04-2018 13:53 05ad5008  OSGI-INF/l10n/bundle.properties
       0  Defl:N        2   0% 05-04-2018 13:53 00000000  about_files/
   11358  Defl:N     3949  65% 05-04-2018 13:53 86e2b4b4  about_files/THE_APACHE_SOFTWARE_LICENSE__VERSION_2.0.txt
       0  Defl:N        2   0% 05-04-2018 13:53 00000000  org/
       0  Defl:N        2   0% 05-04-2018 13:53 00000000  org/apache/
       0  Defl:N        2   0% 05-04-2018 13:53 00000000  org/apache/commons/
       0  Defl:N        2   0% 05-04-2018 13:53 00000000  org/apache/commons/logging/
       0  Defl:N        2   0% 05-04-2018 13:53 00000000  org/apache/commons/logging/impl/
    3489  Defl:N     1195  66% 05-04-2018 13:53 cc667b39  org/apache/commons/logging/impl/AvalonLogger.class
    9666  Defl:N     4248  56% 05-04-2018 13:53 cae3a660  org/apache/commons/logging/impl/SimpleLog.class
    4840  Defl:N     1937  60% 05-04-2018 13:53 9ebae271  org/apache/commons/logging/impl/Log4JLogger.class
    5381  Defl:N     2372  56% 05-04-2018 13:53 180e716b  org/apache/commons/logging/impl/WeakHashtable.class
    1186  Defl:N      543  54% 05-04-2018 13:53 cf5660a9  org/apache/commons/logging/impl/WeakHashtable$1.class
    3899  Defl:N     1434  63% 05-04-2018 13:53 7a12493d  org/apache/commons/logging/impl/Jdk14Logger.class
    2914  Defl:N     1390  52% 05-04-2018 13:53 820be9d5  org/apache/commons/logging/impl/ServletContextCleaner.class
    1669  Defl:N      587  65% 05-04-2018 13:53 01a6a705  org/apache/commons/logging/impl/WeakHashtable$WeakKey.class
    2055  Defl:N      627  70% 05-04-2018 13:53 ea84645d  org/apache/commons/logging/impl/NoOpLog.class
    3156  Defl:N     1187  62% 05-04-2018 13:53 1743e159  org/apache/commons/logging/impl/LogKitLogger.class
     816  Defl:N      438  46% 05-04-2018 13:53 a50cce2a  org/apache/commons/logging/impl/LogFactoryImpl$3.class
     596  Defl:N      348  42% 05-04-2018 13:53 f7faba2b  org/apache/commons/logging/impl/LogFactoryImpl$1.class
    2351  Defl:N      965  59% 05-04-2018 13:53 020d5b27  org/apache/commons/logging/impl/WeakHashtable$Referenced.class
     894  Defl:N      516  42% 05-04-2018 13:53 e89ec705  org/apache/commons/logging/impl/SimpleLog$1.class
    5216  Defl:N     2139  59% 05-04-2018 13:53 cdfeeaf4  org/apache/commons/logging/impl/Jdk13LumberjackLogger.class
   19598  Defl:N     8712  56% 05-04-2018 13:53 44131dba  org/apache/commons/logging/impl/LogFactoryImpl.class
     759  Defl:N      434  43% 05-04-2018 13:53 53b2b043  org/apache/commons/logging/impl/LogFactoryImpl$2.class
    1830  Defl:N      871  52% 05-04-2018 13:53 485c8cd8  org/apache/commons/logging/impl/WeakHashtable$Entry.class
    3601  Defl:N     1700  53% 05-04-2018 13:53 cefed88a  org/apache/commons/logging/LogSource.class
    1420  Defl:N      789  44% 05-04-2018 13:53 aaea4510  org/apache/commons/logging/LogFactory$4.class
     831  Defl:N      490  41% 05-04-2018 13:53 d59a717c  org/apache/commons/logging/LogFactory$3.class
     737  Defl:N      428  42% 05-04-2018 13:53 b80ced43  org/apache/commons/logging/LogFactory$6.class
    1295  Defl:N      662  49% 05-04-2018 13:53 f6a34208  org/apache/commons/logging/LogConfigurationException.class
   20791  Defl:N     9263  55% 05-04-2018 13:53 03e9495c  org/apache/commons/logging/LogFactory.class
    1986  Defl:N     1065  46% 05-04-2018 13:53 31e32ecb  org/apache/commons/logging/LogFactory$5.class
     582  Defl:N      351  40% 05-04-2018 13:53 f63f918b  org/apache/commons/logging/LogFactory$1.class
     813  Defl:N      442  46% 05-04-2018 13:53 5f073bf9  org/apache/commons/logging/LogFactory$2.class
     479  Defl:N      261  46% 05-04-2018 13:53 4b67c39d  org/apache/commons/logging/Log.class
    3450  Defl:N     1239  64% 05-04-2018 13:53 efafed9a  about.html
--------          -------  ---                            -------
  148496            64499  57%                            50 files

ErikR

Some more research:

The Log4J class above seems to be a Log4J client.
Source code for version 1.2.0 of the common logger is located on: https://github.com/apache/commons-logging/blob/bd26f32b9a24e1c5176da719c95203bba09e401c/src/main/java/org/apache/commons/logging/impl/Log4JLogger.java

Looking into the code It seems to be a connector for Log4J version 1.2 and it seems to throw an exception unless version 1.2 is available (but I admit I fail to understand the condition used). Row 78-81.

My interpretation is that the common logger as part of Archi is not a threat but please make your own independent analyses - I am just an egg.

Sorry if I stirred up and emotions with my last mail, just did not want to sit on any vulnerability knowledge on my own.






 







Jean-Baptiste Sarrodie

Hi,

Quote from: ErikR on December 17, 2021, 07:50:41 AMThe Log4J class above seems to be a Log4J client.

Exactly, this is only the "facade" through which Log4J could be used if included, which is not the case.

Regards,

JB
If you value and use Archi, please consider making a donation!
Ask your ArchiMate related questions to the ArchiMate Community's Discussion Board.

Phil Beauvoir

Apache Commons Logging 1.2 comes as standard with Eclipse and so gets shipped with Archi. As JB says above, Eclipse doesn't use Log4J:

https://wiki.eclipse.org/Eclipse_and_log4j2_vulnerability_(CVE-2021-44228)
If you value and use Archi, please consider making a donation!
Ask your ArchiMate related questions to the ArchiMate Community's Discussion Board.