Stream: trifolia-on-fhir
Topic: log4j vulnerability in ToF
Chetan Jain (Dec 13 2021 at 14:28):
Are ToF releases impacted by log4j issue?
Sean McIlvenna (Dec 13 2021 at 15:25):
No. log4j is a Java module, and ToF is built using JavaScript technologies.
Sean McIlvenna (Dec 13 2021 at 15:25):
Having said that, it DOES execute the Java FHIR IG publisher...
Sean McIlvenna (Dec 13 2021 at 15:26):
So, it will be important for HL7 to evaluate the FHIR IG Publisher to determine if it uses the log4j versions that are vulnerable
Chetan Jain (Dec 13 2021 at 15:31):
Thanks @Sean McIlvenna !!
Chetan Jain (Dec 14 2021 at 07:00):
@Sean McIlvenna Out internal scanner has critically flagged the below vulnerability -
pkg:nuget\/log4net@2.0.0
Apache log4net before 2.0.8 does not disable XML external entities when parsing log4net configuration files. This could allow for XXE-based attacks in applications that accept arbitrary configuration files from users.
Is it being fixed in ToF latest releases, we are using ToF 1.9.0 release.
Sean McIlvenna (Dec 14 2021 at 07:33):
The vulnerability recently discovered in log4j is specific to Java applications. TWB is a C# app, and ToF is a Javascript application. Neither which should be affected by the recent log4j-core vulnerability.
Sean McIlvenna (Dec 14 2021 at 07:34):
Having said that, log4net is the C# port of log4j... so, I believe you are actually referring to TWB, not ToF.
Sean McIlvenna (Dec 14 2021 at 07:38):
According to the description of the vulnerabilityyou mentioned above, TWB does not share log4net config filesin this fashion, so I don't believe this vulnerability affects TWB either
Sean McIlvenna (Dec 14 2021 at 07:39):
@Chetan Jain
Sean McIlvenna (Dec 14 2021 at 07:40):
Of course, pease let me know if I'm missing something...
Chetan Jain (Dec 14 2021 at 07:46):
Thanks for prompt response @Sean McIlvenna . There are multiple low/medium and this 1 critical vulnerability flagged from scan of Lantana Trifolia only. Below is few log snippet which refer to log4net -
Scanned: /tmp/tmp-8254-etPfMH0sQv25/Trifolia.Logging/Log.cs
Scanned: /tmp/tmp-8254-etPfMH0sQv25/Trifolia.Logging/Log4NetLoggerFactory.cs
Scanned: /tmp/tmp-8254-etPfMH0sQv25/Trifolia.Logging/LogWithPerfmonAttribute.cs
Scanned: /tmp/tmp-8254-etPfMH0sQv25/Trifolia.Logging/packages.config
Scanned: /tmp/tmp-8254-etPfMH0sQv25/Trifolia.Logging/Trifolia.Logging.csproj
Scanned: /tmp/tmp-8254-etPfMH0sQv25/Trifolia.Logging/Log4NetLogger.cs
is it pointing correctly? We have only ToF installed, no TWB.
Chetan Jain (Dec 14 2021 at 07:49):
Let me know if need to get more info. BTW this exercise is not related to log4j issue. This is part of exercise by Software team to provide security approval for ToF usage.
Sean McIlvenna (Dec 14 2021 at 16:15):
@Chetan Jain
Thanks for clarifying this is not related to the log4j issue. Glad to hear it. That was my biggest concern, initially.
I think there may be some confusion here... All of those files mentioned in the scan logs above are .cs files, which are C# files. This is definitely referring to Trifolia Work Bench (TWB), as TWB is a .NET application while ToF is a JavaScript application.
I'm worried you're intending to use ToF, but your security team is scanning the wrong repository...
https://github.com/lantanagroup/trifolia = TWB
https://github.com/lantanagroup/trifolia-on-fhir = ToF
Chetan Jain (Dec 17 2021 at 06:49):
We have only ToF installed so need to check how they end up finding TWB. Thanks for your input @Sean McIlvenna
Chetan Jain (Feb 14 2022 at 12:25):
Hi @Sean McIlvenna - Now as our security scan correctly pointed to ToF git, attached are the scan log which highlight vulnerabilities with high/medium severity. Could you please check and let me know if we need to log any support ticket to get these addressed. Thanks in advance for your input. We can use set it up internally only if it passes all security check and for that at least all HIGH severity issues must be fixed. Thanks!!
Trifolia-FHIR-Barista-Scan-Feb-03-2022.txt
Sean McIlvenna (Feb 15 2022 at 15:30):
Hi @Chetan Jain
Sean McIlvenna (Feb 15 2022 at 15:30):
We're (slowly) working through a bunch of dependabot and snyk.com PRs that would address a lot of (I believe) the issues you're referring to
Sean McIlvenna (Feb 15 2022 at 15:30):
I can't yet give you a time-line... but, I am chipping away at it
Chetan Jain (Feb 15 2022 at 16:37):
That's great @Sean McIlvenna, thanks for update. Is there any need to log a ticket/issue for tracking? You already said no time line, but still wondering by when we can touch base again or run another scan to see if it pass through. This is blocker for us to get it installed.
Sean McIlvenna (Feb 16 2022 at 01:47):
I've created a backlog item to track this work against in JIRA. It's not a support request, but is a development ticket: https://trifolia.atlassian.net/browse/TRIFFHIR-615 I believe you should be able to watch that ticket, as it is a public JIRA project.
Chetan Jain (Feb 16 2022 at 06:55):
Great, thank you @Sean McIlvenna . Will follow the ticket.
Last updated: Apr 12 2022 at 19:14 UTC
