CVE-2021-44228 + slf4j + common-logging - log4j

I am using slf4j in my project with the following :
implementation "org.slf4j:slf4j-api:${versions.slf4japi}" (1.7.32)
implementation "org.slf4j:slf4j-simple:${versions.slf4jsimple}" (1.7.32)
I am really confused because I don't have the log4j-1.2.17.jar in my project but in common-logging I have this dependency :
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.17</version>
<optional>true</optional>
</dependency>
I am aware that they made a statement and I am nearly kind of sure that my project is concerned and I don't know how I can fix it ! Any help will be appreciated

First of all, as mentioned in the SLF4J post you have linked, Log4j 1 is not affected by CVE-2021-44228 (but is end of life and affected by other vulnerabilities). Additionally it is marked as optional dependency so by default not included when you depend on common-logging, see the POM Reference and Introduction to the Dependency Mechanism, which mentions this as well:
It may be helpful to think of optional dependencies as "excluded by default."

Related

Was OpenSagres allowed to use Apache POI-like packages?

While searching for a free solution to implement a DOC(x)-to-PDF transformation for an internal business application, I stumbled upon the org.apache.poi.xwpf.converter.* packages.
I found some examples e.g.
http://www.programcreek.com/java-api-examples/index.php?api=org.apache.poi.xwpf.converter.pdf.PdfOptions
I saw the packages starting with "org.apache.poi..." so I thought "oh great, OSS". But after further search, I realized that source code isn't coming from Apache, rather from an obscure French company I never heard of, OpenSagres: http://www.opensagres.fr/
For example http://poi.apache.org/apidocs/index.html has nothing about those packages.
I then found the matching Javadoc API: http://oss.opensagres.fr/xdocreport/javadoc/1.0.3/org/apache/poi/xwpf/converter/core/package-summary.html
...as well as source code on GitHub:
https://github.com/opensagres/xdocreport/wiki/XWPFConverterPDFViaIText org.apache.poi.xwpf.converter.pdf provides...
<dependency>
<groupId>fr.opensagres.xdocreport</groupId>
<artifactId>org.apache.poi.xwpf.converter.pdf</artifactId>
<version>${XDOCREPORT_VERSION}</version>
</dependency>
https://github.com/opensagres/xdocreport/wiki/XWPFConverterXHTML org.apache.poi.xwpf.converter.xhtml provides...
<dependency>
<groupId>fr.opensagres.xdocreport</groupId>
<artifactId>org.apache.poi.xwpf.converter.xhtml</artifactId>
<version>XDOCREPORT_VERSION</version>
</dependency>
Jars are also available (for download) inside docx.converters-xxx-sample.zip archive file, packaged (under the "libs" folder) as:
org.apache.poi.xwpf.converter.core-1.0.4.jar
org.apache.poi.xwpf.converter.pdf-1.0.4.jar
org.apache.poi.xwpf.converter.xhtml-1.0.4.jar
And when you look at the source code, there is even a copyright for The XDocReport Team e.g. see
https://github.com/opensagres/xdocreport/blob/master/thirdparties-extension/org.apache.poi.xwpf.converter.core/src/main/java/org/apache/poi/xwpf/converter/core/AbstractXWPFConverter.java
Copyright (C) 2011-2015 The XDocReport Team <xdocreport#googlegroups.com>
How is that even possible? I mean, prefixing a package from a well-known entity which releases OSS should be restricted, no?
Moreover, even if not coming from Apache, I can't use this source code/library/whatever, because:
(it) depends on iText 2.1.7 due to licensing issue(s), see: iText 5.5.0 with XDocReport 1.0.4 which should not be used anymore (but can I really trust the commenter... as he's the author of the code??? https://stackoverflow.com/users/1622493/bruno-lowagie )
there's a version with iText 5.x (https://github.com/opensagres/xdocreport/tree/master/thirdparties-extension/org.apache.poi.xwpf.converter.pdf.itext5) but it's not free! see http://itextpdf.com/Pricing
So how am I supposed to do?

May I use jxls and apache poi together?

I'm making an application to analize some data and the result must be presented in excel files. In that sense I started to use Apache POI (3.11). Due to some reports consumes a lot of time and memory to be reproduce, I made an investigation and I found jxls, after some test I thought was the solution. But now I found a problem: can´t work both frameworks together.
I have to update Apache POI from 3.11 to 3.14, in order to work with jxls-2.3.0
I made an extra package in order to make my tests with jxls, not problem
I try to migrated one of my classes from Apache POI to jxls, and a I got this error: java.lang.IllegalStateException: Cannot load XLS transformer. Please make sure a Transformer implementation is in classpath. This is the code of my method:
private void prepareNewReport(File excelFile) {
List perforaciones = makePerforacionReport
.makePerforacionData(escenario);
try (InputStream is = ReportePerforacionTotalDialog.class
.getResourceAsStream("PerforacionTotal_template.xls")){
try (OutputStream os = new FileOutputStream(excelFile)) {
Context context = new Context();
context.putVar("perforaciones", perforaciones);
JxlsHelper.getInstance().processTemplate(is, os, context);
LOGGER.logger.log(Level.INFO, "Archivo de perfortacion generado con éxito");
}
} catch (IOException e) {
LOGGER.logger.log(Level.SEVERE, "Problemas buscando el archivo", e);
}
}
How could be this possible?. In the same project I have my test class, just another package and its working fine. As you can see it´s not so much different from the example in the jxls page and the imports are the same.
But even worst, when I tried to make clean & build of my project, then I got this other error:
java.lang.RuntimeException: com.sun.tools.javac.code.Symbol$CompletionFailure: class file for org.openxmlformats.schemas.officeDocument.x2006.docPropsVTypes.CTArray not found
I looked at every library that I importede in order to work with jxls and apache poi, and that´s rigth, that class is not there. Just to see if there a conflict among these two framewoks, I eliminated from the class path all libraries needed to use jxls. Clean & build again, and not problem, I have my .jar file to send to my customer, but incomplete.
I could try to replace all classes that use Apache POI, but that means a lot of work, since POI is used in my project to read excel files with data many times and to write another many files to excel. I planned to use jxls in order to take advantage of use templates.
I will apreciate any help or suggestion.
For the first error, it would appear that the JXLS transformer for Apache POI is missing in your classpath when running the application. Check the JXLS getting started info here: http://jxls.sourceforge.net/getting_started.html
As it is explained in Transformers section (see Main Concepts)) Jxls core module does not depend on any specific Java-Excel library and works with Excel exclusively through a predefined interface. Currently Jxls supplies two implementations of this interface in separate modules based on the well-known Apache POI and Java Excel API libraries.
If you're using maven, be sure to include in your pom.xml the jxls-poi dependency listed on the JXLS getting started page:
<dependency>
<groupId>org.jxls</groupId>
<artifactId>jxls-poi</artifactId>
<version>1.0.9</version>
</dependency>
For the second issue, org.openxmlformats.schemas.officeDocument.x2006.docPropsVTypes.CTArray is not in the apache POI ooxml schemas jar files for either 3.11 (poi-ooxml-schemas-3.11-20141221.jar) or 3.14 (poi-ooxml-schemas-3.14-20160307.jar). POI uses a stripped down set of ooxml schema classes, you will need to get the ooxml schemas complete jar from http://central.maven.org/maven2/org/apache/poi/ooxml-schemas/1.3/ or if you're using maven (or another build tool), get the dependency for your build from https://mvnrepository.com/artifact/org.apache.poi/ooxml-schemas/1.3
e.g for maven:
<!-- https://mvnrepository.com/artifact/org.apache.poi/ooxml-schemas -->
<dependency>
<groupId>org.apache.poi</groupId>
<artifactId>ooxml-schemas</artifactId>
<version>1.3</version>
</dependency>
Be sure to remove the poi-ooxml-schemas dependency from your maven pom.xml so that ooxml-schemas above takes precedence instead.

ASM's Frame class has no generic type

ASM documentation (pdf) says, that Frame class has generic type, providing an example of usage: Frame<BasicValue>. (at p. 119, if needed)
When looking at the source, we can see it's declaration like Frame<V extends Value>.
But for some reason, when in my project I specify maven dependencies,
<dependency>
<groupId>org.ow2.asm</groupId>
<artifactId>asm</artifactId>
<version>4.2</version>
</dependency>
<dependency>
<groupId>org.ow2.asm</groupId>
<artifactId>asm-analysis</artifactId>
<version>4.2</version>
</dependency>
or just load according artifacts manually from repository, attempt to use Frame<...> ends with error:
Type org.objectweb.asm.tree.analysis.Frame doesn't have type parameters
And Intellij IDEA decompiler says Frame really has no ones.
The same issue takes place with Analyzer and Interpreter classes.
How can I beat that?
Complementing an answer of #dejvuth:
asm-debug-all happens to be of Java 5.0 version and contains all generic types. Morever, it's binary compatible with plain asm library with no generics
From ASM FAQ
14. What is the earliest JDK required to use ASM?
...
The asm.util and asm.tree packages require JDK 1.2, ...
and History of ASM 4.0 RC1
generified the API to use generics and varargs. However, almost all jars are still small and 1.2 compatible.
Basically, when jarred, ASM optimizes the bytecode, which (among others) makes it backward-compatible with 1.2 by changing its major version to 46 (see org.objectweb.asm.optimizer.ClassOptimizer).
I guess there are two options available: use it without generics or compile the source by yourself.

XSSF prefix for POI

I am not able to use XSSF prefix for POI . When i run the code following error is given . Please help me out
Error:run:
Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/xmlbeans/XmlObject
at javacodechefsummer.Javacodechefsummer.main(Javacodechefsummer.java:36)
The Apache POI website has a whole section on the components and their dependencies, which a staggeringly high number of people seem to completely ignore... (Just look at the number of similar questions every week to see!)
If you care to take a read through it, you'll clearly see the dependencies that are required by XSSF. These dependencies ship with Apache POI, you just need to add them to your classpath. From your error, you are missing xmlbeans, and possibly some others too
if u r using maven the dependencies are
<dependency>
<groupId>org.apache.poi</groupId>
<artifactId>poi</artifactId>
<version>3.8-beta3</version>
</dependency>
<dependency>
<groupId>org.apache.poi</groupId>
<artifactId>poi-ooxml</artifactId>
<version>3.8-beta3</version>
</dependency>

Migrate from wicket 1.4 to 1.5 now not able to import packages

I have a project I built in Wicket 1.4. When I moved to 1.5 to take advantage of the IEvent feature, suddenly I can't compile because the wicket java pages can't see the packages of my service tier. My service tier is built in groovy 2.0.0, though I doubt that this is the problem. I must be missing something obvious. Below are my dependencies:
where wicket version is 1.5.7
<dependency>
<groupId>org.apache.wicket</groupId>
<artifactId>wicket-core</artifactId>
<version>${wicket.version}</version>
</dependency>
<dependency>
<groupId>org.apache.wicket</groupId>
<artifactId>wicket-extensions</artifactId>
<version>${wicket.version}</version>
</dependency>
<dependency>
<groupId>org.apache.wicket</groupId>
<artifactId>wicket-spring</artifactId>
<version>${wicket.version}</version>
</dependency>
<dependency>
<groupId>org.apache.wicket</groupId>
<artifactId>wicket-ioc</artifactId>
<version>${wicket.version}</version>
</dependency>
my imports are well...imports
Thank you for your help Don, but it turns out I had made a change to my pom file where I removed the <goal>generateStubs</goal>
<goal>generateTestStubs</goal>
from my gmaven plugin executions. The problem didn't surface since I hadn't made a change in my groovy code and then when I did make a change it wasn't compiling the groovy code at all which is what led to the absence of the groovy packages. It just happened to coincide with my wicket version change.

Resources