We are running WSO2 1.8.0 API Manager(I know it's old :-))
I wanted to check if the latest log4j vulnerability has any patch/fix available for our WSO2 API Manager version we are running. I didn't find any update in the WSO2 security advisory list https://docs.wso2.com/display/Security/2021+Advisories
Log4j security issue - https://logging.apache.org/log4j/2.x/security.html
Appreciate any thoughts on the question.
Thanks
Updated: here is the official WSO2 link for this CVE, I can't believe I missed this earlier. It appears the answer is that you are not affected. https://docs.wso2.com/pages/viewpage.action?pageId=180948677
(There is a different, older CVE for log4j 1.x but WSO2 has clarified that it does not affect their products: https://docs.wso2.com/display/Security/CVE-2019-17571)
Related
I found multiple vulnerability issues related to Log4j in Vulnerability assessment and it is listed below:
Apache Log4j Unsupported Version Detection
Apache Log4j 1.x Multiple Vulnerabilities
Apache Log4j 1.2 JMSAppender Remote Code Execution (CVE-2021-4104)
It suggest to upgrade its version.And it comes under Pyspark package.So I uninstalled the package since I am not using it.But again the same issue found.
How can I solve this issue? Can anyone suggest a solution to solve this problem?
I'm currently developing a jsf app on quarkus using myfaces (2.3-next-M7) but due to a bug that I raised here I can't use it in production and I am eagerly waiting for version 2.3-next-M8, would someone know when it is supposed to be released ?
I haven't found any information on myfaces' site or myfaces' issue tracker
Thanks for your help.
Is it safe to use log4j with karate latest version 1.1.0?
Will the log4j vulnerabilities affect the framework? Is there any way to update log4j version to 2.17.0 in the mix?
Karate does not use log4j and uses logback instead. Maybe you are using an old version, so you need to upgrade.
Note that even logback had a vulnerability so you should use Karate 1.2.0.RC2, please find details here: https://twitter.com/getkarate/status/1471710785051103233
We have passed Apiman-2.0.0.final through security scans and came up with some critical/high vulnerabilities, mostly relevant to keycloak-core-10.0.2.
Fixes for this vulnerability are available in higher versions of keycloak.
I would like to know how do you handle these scenarios.
Should we repackage the war locally for us to use? We can create a pull request if it works.
Should we open a Jira item? I cannot see 2.0.0 being supported on red hat Jira. https://issues.redhat.com/projects/APIMAN/summary
Please post issues on our GitHub issue tracker, not stack overflow https://github.com/apiman/apiman/issues
We're using a newer version of Keycloak for the upcoming community release. You can indeed use your own separate Keycloak instance (recommended for a real deployment), rather than the one bundled in the quickstart.
When I launch WSO2 API Manager, I get the following notice:
There are 177 updates available for the product 'wso2am-3.2.0'.[WARNING] There
are 13 critical security updates for the product 'wso2am-3.2.0'. WSO2 strongly
recommends to apply these updates in production as soon as possible.
WSO2 doesn't bundle security updates, so I head to the GitHub issues. The problem is that if I go to the security tag, I don't see anything relevant to the 3.2.0 release: https://github.com/wso2/product-apim/issues?q=label%3Asecurity+is%3Aclosed
There is one "critical for 3.2.0": https://github.com/wso2/product-apim/issues?q=label%3ASeverity%2FCritical+label%3AAffected%2F3.2.0
There are two more using this deprecated tag: https://github.com/wso2/product-apim/issues?q=label%3ASeverity%2FCritical+label%3A3.2.0
So, it seems like what you have to do is look at the 4.0 milestones and cherry-pick those fixes and backport them.
Is there a tag I am missing? Is someone bundling these?
Thanks!
You can find the security advisors in here https://docs.wso2.com/display/Security/2020+Advisories