I found multiple vulnerability issues related to Log4j in Vulnerability assessment and it is listed below:
Apache Log4j Unsupported Version Detection
Apache Log4j 1.x Multiple Vulnerabilities
Apache Log4j 1.2 JMSAppender Remote Code Execution (CVE-2021-4104)
It suggest to upgrade its version.And it comes under Pyspark package.So I uninstalled the package since I am not using it.But again the same issue found.
How can I solve this issue? Can anyone suggest a solution to solve this problem?
Related
I'm trying to initialize local Hybris 2205.3 version and getting following error -
ERROR [hybrisHTTP27] [HacInitUpdateFacade] Failed to initialize
java.lang.IllegalArgumentException: Property 'http://javax.xml.XMLConstants/property/accessExternalSchema' is not recognized.
Using Oracle JDK 17.0.4.1. Initialization triggered from HAC.
I've tried adding following property to tomcat.generaloptions also which didn't help -
"-Djavax.xml.accessExternalSchema=all"
Any pointers to fix this? Or need more information?
It could be that one of the custom jar is older version and conflicting with oob. In one of our project we faced a similar issue and found that xerces.jar version in custom code was of lower version.
Both the jars I.e in oob and custom there was xmlconstant class but lower version jar used in custom code didn't have accessExternalSchema as class variable and was being picked up by system on startup because of conflict.
Oracle JDK not supported anymore, you need to try with SapMachine 17.0.
Whole system requirements by version is here.
We resolved the issue with Oracle JDK 17 only. We faced the same issue while upgrade from 2105 to 2211. This is due to jar dependency. We tried with the above given solution but it didn't work for us. We researched more and found the issue with dependency with xerces which caused conflict. We also found there is "xerces-2.12-orbeon' xerces-2.12-orbeon in OOTB. We did two things to resolve the issue
we updated classpath with xerces-2.12-orbeon( OOTB jar) in out custom code
We need to modify few code base as we were using xerces for Base64 encrytion and decryption for SSO
Please let me know if you have any questions, I will try my best to respond in time.
Regards,
Abhijit Das
Please find the link here:
https://answers.sap.com/questions/13781195/hybris-2211-upgradation-error.html?childToView=13818282
In our project, running spark 2.3 with 7 nodes.
Recently as part of Security scan, log4j vulnerability is reported by security Team.
We can see log4j 1.x jar in the spark folder (/opt/spark/jars/log4j-1.2.17.jar).
We tried to replace the jar with log4j 2.17.1 version and tried to run the spark. But Spark is failing with "NoClassDefFoundError" for class org/apache/log4j/or/RendererMap
Please help me to resolve this issue.
Try using log4j-1.2-api of version 2.17.1
https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-1.2-api
You need to copy 3 jars(core,api,bridge) from https://archive.apache.org/dist/logging/log4j/ and put in spark/jar folder.
Refer this page for details.
https://logging.apache.org/log4j/2.x/manual/migration.html
I am using wildfly-11.0.0-final. I can see the log4j-jboss-logmanager jar has a log4j 1.2.16 dependency. Will it be affected? How to mitigate this?
If you are not using the JMSAppender you shouldn't be exposed if I understand https://www.wildfly.org/news/2021/12/13/Log4j-CVEs/ correctly.
We are running WSO2 1.8.0 API Manager(I know it's old :-))
I wanted to check if the latest log4j vulnerability has any patch/fix available for our WSO2 API Manager version we are running. I didn't find any update in the WSO2 security advisory list https://docs.wso2.com/display/Security/2021+Advisories
Log4j security issue - https://logging.apache.org/log4j/2.x/security.html
Appreciate any thoughts on the question.
Thanks
Updated: here is the official WSO2 link for this CVE, I can't believe I missed this earlier. It appears the answer is that you are not affected. https://docs.wso2.com/pages/viewpage.action?pageId=180948677
(There is a different, older CVE for log4j 1.x but WSO2 has clarified that it does not affect their products: https://docs.wso2.com/display/Security/CVE-2019-17571)
I'm upgrading Log4j-1.2.17 to Log4j2-2.12.2 in my project.
To do that I'm using the log4j-1.2 bridge.
In old version I use property file to configure log4j.
After upgrade everything looks ok, no errors, no warnings. But logs don't appear in file pointed in properties file.
I realized that PropertyConfigurator.class exists in log4j-1.2-api.jar, but methods don't have implementation.
empty PropertyConfigurator.configure(Properties properties)
Can you explain me that?
Which configuration syntax is correct when I use log4j-1.2-api.jar? log4j or log4j2?
Prior to Log4j 2.13.0 log4j-1.2-api only provides compatibility for applications that used the log4j 1.x API for logging. The Log4j 2 configuration is still used as all logging calls are redirected to Log4j 2. So only the Log4j 2 configuration syntax would be valid.
Many of the old log4j 1.x internal classes are also present because many applications were using them in an attempt manually manipulate logging, much of which probably isn't necessary with Log4j 2.
In Log4j 2.13.0 the log4j-1.2-api was extended to provide experimental support for Log4j 1.x configuration files. You would have to compare your log4j 1 configurations with the documentation to determine if that support will work for you. However, the Log4j 1.x PropertyConfigurator still will be a no-op even with the compatibility support.