Martin - good catch with the stuff under system/karaf/caches. I'd scanned a clean build so it wasn't picking those up. For anyone updating things in-place, you'll definitely want to remove that caches directory or you'll still have vulnerable versions of the library in use. The caches directory will get recreated on next startup.
Original Message:
Sent: 12-15-2021 11:56
From: Martin Rupp
Subject: log4j security compliance -- CVE-2021-44228
I don't know if spoon uses all of this log4j libraries. But this is not important.
The management don't want that log4j libs < version 2.16 are present.
Log4j 2 is not compatible to log4j 1.
But there is a mode to simulate log4j 1 with some constraints and risks.
https://logging.apache.org/log4j/2.x/manual/compatibility.html
Unfortunately the scan process finds also files which are only bridges to log4j!
E.g.: http://www.slf4j.org/legacy.html
------------------------------
Martin Rupp
Service Administrator
Siemens AG
Original Message:
Sent: 12-15-2021 07:18
From: Daniel Michael Lozynski
Subject: log4j security compliance -- CVE-2021-44228
Does Spoon uses those .jars internally for logging? I created a job, some task where logging is not enabled. Still, when I delete the .jar from the folder/s - Spoon wont start.
I assume it must be used within Spoon then? I also asume it's not possible to simple exchange the .jar with a 2.15.x .jar?
------------------------------
Daniel Michael Lozynski
Product Manager
DB Systel GmbH
Original Message:
Sent: 12-15-2021 05:46
From: Martin Rupp
Subject: log4j security compliance -- CVE-2021-44228
We have now a scanner for log4j in the company.
It has found these locations in PDI 9.2 Community Edition:
D:\Tools\Pentaho Data Integration\pdi-ce-9.2.0.0-290\data-integration\lib\apache-log4j-extras-1.2.17.jar contains Log4J-1.x 1.2.17 __END_OF_LIFE_VERSION__
D:\Tools\Pentaho Data Integration\pdi-ce-9.2.0.0-290\data-integration\lib\apache-log4j-extras-1.2.17.jar contains Log4J-1.x __END_OF_LIFE_VERSION__
D:\Tools\Pentaho Data Integration\pdi-ce-9.2.0.0-290\data-integration\lib\kettle-log4j-core-9.2.0.0-290.jar contains Log4J-2.x 9.2.0.0-290 __VULNERABLE__
D:\Tools\Pentaho Data Integration\pdi-ce-9.2.0.0-290\data-integration\lib\log4j-1.2.17.jar contains Log4J-1.x 1.2.17 __END_OF_LIFE_VERSION__
D:\Tools\Pentaho Data Integration\pdi-ce-9.2.0.0-290\data-integration\lib\log4j-1.2.17.jar contains Log4J-1.x __END_OF_LIFE_VERSION__
D:\Tools\Pentaho Data Integration\pdi-ce-9.2.0.0-290\data-integration\lib\log4jdbc-1.2.jar contains Log4J-1.x 1.2 __END_OF_LIFE_VERSION__
D:\Tools\Pentaho Data Integration\pdi-ce-9.2.0.0-290\data-integration\lib\slf4j-log4j12-1.7.12.jar contains Log4J-1.x 1.7.12 __END_OF_LIFE_VERSION__
D:\Tools\Pentaho Data Integration\pdi-ce-9.2.0.0-290\data-integration\plugins\elasticsearch-bulk-insert-plugin\lib\log4j-api-2.11.1.jar contains Log4J-2.x 2.11.1 __VULNERABLE__
D:\Tools\Pentaho Data Integration\pdi-ce-9.2.0.0-290\data-integration\system\karaf\caches\spoon\data-1\cache\bundle243\version0.0\bundle.jar contains Log4J-2.x 9.2.0.0-290 __VULNERABLE__
D:\Tools\Pentaho Data Integration\pdi-ce-9.2.0.0-290\data-integration\system\karaf\caches\spoon\data-1\cache\bundle6\version0.0\bundle.jar contains Log4J-1.x __END_OF_LIFE_VERSION__
D:\Tools\Pentaho Data Integration\pdi-ce-9.2.0.0-290\data-integration\system\karaf\caches\spoon\data-1\cache\bundle7\version0.0\bundle.jar contains Log4J-2.x 2.8.2 __VULNERABLE__
D:\Tools\Pentaho Data Integration\pdi-ce-9.2.0.0-290\data-integration\system\karaf\caches\spoon\data-1\cache\bundle7\version0.0\bundle.jar contains Log4J-2.x 2.8.2 __VULNERABLE__
D:\Tools\Pentaho Data Integration\pdi-ce-9.2.0.0-290\data-integration\system\karaf\caches\spoon\data-1\cache\bundle7\version0.0\bundle.jar contains Log4J-1.x 1.10.2 __END_OF_LIFE_VERSION__
D:\Tools\Pentaho Data Integration\pdi-ce-9.2.0.0-290\data-integration\system\karaf\caches\spoon\data-1\cache\bundle7\version0.0\bundle.jar contains Log4J-2.x >= 2.0-beta9 (< 2.10.0) __VULNERABLE__
D:\Tools\Pentaho Data Integration\pdi-ce-9.2.0.0-290\data-integration\system\karaf\caches\spoon\data-1\tmp\8ddfb285-kettle-log4j-core-9.2.0.0-290.jar contains Log4J-2.x 9.2.0.0-290 __VULNERABLE__
D:\Tools\Pentaho Data Integration\pdi-ce-9.2.0.0-290\data-integration\system\karaf\system\org\hitachivantara\pax-logging-api-wrap\1.10.2\pax-logging-api-wrap-1.10.2.jar contains Log4J-1.x __END_OF_LIFE_VERSION__
D:\Tools\Pentaho Data Integration\pdi-ce-9.2.0.0-290\data-integration\system\karaf\system\org\ops4j\pax\logging\pax-logging-api\1.10.2\pax-logging-api-1.10.2.jar contains Log4J-1.x __END_OF_LIFE_VERSION__
D:\Tools\Pentaho Data Integration\pdi-ce-9.2.0.0-290\data-integration\system\karaf\system\org\ops4j\pax\logging\pax-logging-log4j2\1.10.2\pax-logging-log4j2-1.10.2.jar contains Log4J-2.x 2.8.2 __VULNERABLE__
D:\Tools\Pentaho Data Integration\pdi-ce-9.2.0.0-290\data-integration\system\karaf\system\org\ops4j\pax\logging\pax-logging-log4j2\1.10.2\pax-logging-log4j2-1.10.2.jar contains Log4J-2.x 2.8.2 __VULNERABLE__
D:\Tools\Pentaho Data Integration\pdi-ce-9.2.0.0-290\data-integration\system\karaf\system\org\ops4j\pax\logging\pax-logging-log4j2\1.10.2\pax-logging-log4j2-1.10.2.jar contains Log4J-1.x 1.10.2 __END_OF_LIFE_VERSION__
D:\Tools\Pentaho Data Integration\pdi-ce-9.2.0.0-290\data-integration\system\karaf\system\org\ops4j\pax\logging\pax-logging-log4j2\1.10.2\pax-logging-log4j2-1.10.2.jar contains Log4J-2.x >= 2.0-beta9 (< 2.10.0) __VULNERABLE__
D:\Tools\Pentaho Data Integration\pdi-ce-9.2.0.0-290\data-integration\system\karaf\system\org\pentaho\di\plugins\kettle-log4j-core\9.2.0.0-290\kettle-log4j-core-9.2.0.0-290.jar contains Log4J-2.x 9.2.0.0-290 __VULNERABLE__
------------------------------
Martin Rupp
Service Administrator
Siemens AG
Original Message:
Sent: 12-14-2021 14:54
From: Dhruvesh Patel
Subject: log4j security compliance -- CVE-2021-44228
so far I found this https://support.pentaho.com/hc/en-us/articles/4416229254541-log4j-2-zero-day-vulnerability-CVE-2021-44228-
on pentaho site regarding log4j-2 vulnerability
------------------------------
Dhruvesh Patel
Data Service Manager
Graham Capital
Original Message:
Sent: 12-13-2021 17:33
From: Matt Kynaston
Subject: log4j security compliance -- CVE-2021-44228
I'm on Pentaho BI server 9.1. This ships log4j 2.8.2 hidden in pentaho-solutions/system/karaf/system/org/ops4j/pax/logging/pax-logging-log4j2/1.10.2/pax-logging-log4j2-1.10.2.jar.
I have no idea where that might be used, but the only mitigation I can find is to remove JndiLookup.class from the jar (naturally you'll want to backup and test before rolling it out):
zip -q -d \
pentaho-solutions/system/karaf/system/org/ops4j/pax/logging/pax-logging-log4j2/1.10.2/pax-logging-log4j2-1.10.2.jar \
org/apache/logging/log4j/core/lookup/JndiLookup.class
------------------------------
Matt Kynaston
Chief Technology Officer
Claritum Ltd
Original Message:
Sent: 12-13-2021 17:17
From: Wesley Massaker
Subject: log4j security compliance -- CVE-2021-44228
We are also using community edition (9.1), but from everything I can tell, the original poster is correct in that Pentaho uses 1.x version, which I don't believe is affected by this weekend's log4j vulnerability. I read up a little on it (not an expert on this btw), and I could not find the classes referenced in that vulnerability. Here's what I was going from when trying to troubleshoot...
https://www.socinvestigation.com/apache-log4j-vulnerability-detection-and-mitigation/
However, 1.x is no longer supported and apparently has it's own vulnerability that was never patched up due to EOL, so I guess the question is how do we move Pentaho up to log4j2 v2.15?
------------------------------
Wesley Massaker
HelpDesk Support
FitzMark Inc
Original Message:
Sent: 12-10-2021 15:54
From: IAN BEATTY
Subject: log4j security compliance -- CVE-2021-44228
There's a questionably large RCE exploit announced today (https://nvd.nist.gov/vuln/detail/CVE-2021-44228) that may or may not impact pdi. The more I read about it, the more obvious it becomes that this is a way larger issue than we (as of this writing) understand.
pdi-ce 9.2 still uses a log4j jar from 2012 that hit EOL in 2015. 1.x versions aren't even tested for security compliance by the log4j team anymore (you know, because EOL...) and they urge anyone using log4j to update to 2 in order to receive security updates.