Stream: hapi
Topic: log4shell vulnerability
Morten Ernebjerg (Dec 12 2021 at 13:57):
A critical vulnerability in the Java logging library log4j was just discovered: CVE-2021-4428 aka log4shell. This library is also used in HAPI and a GitHub ticket was already created. Are you able to estimate how long it will take for a patched version of HAPI will be released? Also, is there any HAPI-specific advice for users (beyond the generic guidance for dealing with this vulnerability)?
Patrick Werner (Dec 12 2021 at 13:59):
All good: https://www.smilecdr.com/our-blog/a-statement-on-log4shell-cve-2021-44228
Morten Ernebjerg (Dec 12 2021 at 14:05):
Thanks, good to know :sweat_smile: I was looking at the POM file for the latest release and there log4j still appears.
Might any of the previous HAPI/JPA starter releases affected?
Patrick Werner (Dec 12 2021 at 14:09):
JpaStarter used logback from the beginning (the log4j libraries are only included for compatibility). So if you didn‘t change that to Log4J you should be good
Morten Ernebjerg (Dec 12 2021 at 20:07):
Would still be nice to bump the "pseudo-dependency" in HAPI to the patched version to avoid the vulnerable version showing up on the list of dependencies when using HAPI (which is what I saw).
Jens Villadsen (Dec 12 2021 at 20:08):
I thought about it in starter project
Morten Ernebjerg (Dec 12 2021 at 20:21):
Would b one less worry in the dependency jungle :grinning:
Patrick Werner (Dec 12 2021 at 21:36):
Morten Ernebjerg said:
Would still be nice to bump the "pseudo-dependency" in HAPI to the patched version to avoid the vulnerable version showing up on the list of dependencies when using HAPI (which is what I saw).
just created https://github.com/hapifhir/hapi-fhir/pull/3240
Patrick Werner (Dec 13 2021 at 11:43):
and its already merged. Thanks @James Agnew !
James Agnew (Dec 13 2021 at 16:18):
FYI to anyone looking for more detail on why we're ok (a few people have asked for more detail on the blog post, I'm doing that today)
The general gist is that we only include log4j-api because Hibernate needs it. Hibernate's logging uses log4j (via log4j-api and then slf4j-over-log4j) and is therefore technically going through the vulnerable codebase. But Hibernate doesn't log any user-supplied messages in the way that HAPI FHIR uses it. So it would not be possible to exploit this vulnerability.
Outside of hibernate, all logging we do goes through directly through slf4j and therefore skips log4j entirely.
Jens Villadsen (Dec 13 2021 at 19:00):
@James Agnew I don't think log4j-api is vulnerable - it's log4j-core that is vulnerable, AFAIK.
James Agnew (Dec 14 2021 at 17:44):
ah interesting @Jens Villadsen - When I looked at the CVE writeup on Monday it specifically called out both log4j-api and log4j-core as being vulnerable.
That doesn't seem to be the case anymore, and the actual commit that fixes this only touches log4j-core: https://gitbox.apache.org/repos/asf?p=logging-log4j2.git;h=001aaad
Jens Villadsen (Dec 14 2021 at 17:52):
Yep
Jens Villadsen (Dec 14 2021 at 21:37):
@James Agnew while I have your attention ... -> you might wan't to update this: https://hapifhir.io/hapi-fhir/blog/ as it is a bit outdated
Morten Ernebjerg (Dec 15 2021 at 07:32):
History repeating: The fix in log4j v2.15 was incomplete cf. CVE-2021-45046. So 2.16 is the new 2.15 - @Patrick Werner looks like another bump is needed to avoid red lights flashing....
Morten Ernebjerg (Dec 15 2021 at 07:34):
(assuming HAPI is at all affected)
Jens Villadsen (Dec 15 2021 at 07:35):
It aint
Jens Villadsen (Dec 15 2021 at 07:35):
HAPI uses logback
Patrick Werner (Dec 15 2021 at 08:51):
Some people are alerted seeing log4j-api versions < 2.16 in dependency, some CVE checkers are failing as well. I don't see harm in bumping the version to the latest, agreeing that this is an placebo.
Patrick Werner (Dec 15 2021 at 08:53):
https://jira.qos.ch/browse/LOGBACK-1591
Newest logback removes JNDI and JDBC functions to mitigate a theoretical attack vector.
Patrick Werner (Dec 15 2021 at 08:53):
https://github.com/hapifhir/hapi-fhir/pull/3248
- bumps log4j-to-slf4j
- update logback to newest version
Jens Villadsen (Dec 15 2021 at 09:05):
There will always be someones CVE checker tool out there that fails
Patrick Werner (Dec 15 2021 at 09:08):
I personally totally agree with your point. Unfortunately i know to many users of hapi which are irritated by seeing smth with log4j in the project.
Morten Ernebjerg (Dec 15 2021 at 13:09):
Right, lowering expectable developer stress is a worthy cause, even if it is unfounded :wink:
James Agnew (Dec 16 2021 at 13:16):
Yeah for sure I have no issues with bumping the log4j version even if it's unnecessary. If we're causing CVE checkers to flash, that's annoying stress for people using the library.
Last updated: Apr 12 2022 at 19:14 UTC
