[ONGDB-280] Remove log4j 1.2.17 to fix critical vulnerability - GraphFoundation Jira

XML

Word

Printable

Details

Type: Story
Status: Done
Priority: Highest
Resolution: Done
Affects Version/s: 1.0.0
Fix Version/s: 1.0.1
Component/s: None
Labels:
None

Description

Resolves the following issue reports:

Requires removal of log4j or replacing log4j with reload4j.

The log4j dependency is only a test dependency and therefore the vulnerability has a lower impact.

The log4j dependency comes in two places:

[INFO] org.graphfoundation.ongdb:ongdb-security-enterprise:jar:1.0.1-SNAPSHOT
[INFO] \- org.apache.directory.server:apacheds-server-integ:jar:2.0.0-M21:test
[INFO]    \- log4j:log4j:jar:1.2.17:test

and

[INFO] org.graphfoundation.ongdb:ongdb-slf4j:jar:1.0.1-SNAPSHOT
[INFO] \- org.slf4j:slf4j-log4j12:jar:1.7.25:test
[INFO]    \- log4j:log4j:jar:1.2.17:test

Resolution Steps

Upgrade slf4j-log4j12 and apacheds-server-integ
Update all org.slf4j group artifacts to version 1.7.36
Update apacheds-server-integ to version 2.0.0-M24
Add log4j exclusion to apacheds-server-integ
Use reload4j (relocated log4j project) by changing dependency slf4j-log4j12 to slf4j-reload4j

Attachments

Activity

People

Assignee:: Brad Nussbaum

Reporter:: Brad Nussbaum

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 29/Mar/22 6:46 PM

Updated:: 30/Mar/22 3:43 AM

Resolved:: 30/Mar/22 3:43 AM