Log4j vulnerability CVE-2021-44228 - BaseX-Talk - mailman.uni-konstanz.de

List overview All Threads
Download

Log4j vulnerability CVE-2021-44228

Email.jar module documentation

Changing BaseX GUI preferences is...

Marc Coenegracht

13 Dec 2021 13 Dec '21

10:11 a.m.

Does Basex (9.x or 8.x) use Log4j in any of its components? If not, should one still worry about the JRE?

Regards, Marc

Reply

Show replies by date

Christian Grün

13 Dec 13 Dec

10:18 a.m.

Hi Marc,

I was waiting for that question ;)

All fine, BaseX uses a custom logger, as well as Jetty does [1,2].

You may need to check your setup, though, if you use Tomcat as web server or any additional search index applications like Solr or Elasticsearch. ES is only susceptible to information leak, not remote code execution [3].

Hope this helps, Christian

[1] https://docs.basex.org/wiki/Logging [2] https://docs.huihoo.com/jetty/the-definitive-reference/configuring-logging.h... [3] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnera...

On Mon, Dec 13, 2021 at 4:11 PM Marc Coenegracht marc@crosseyed.nl wrote:

Does Basex (9.x or 8.x) use Log4j in any of its components? If not, should one still worry about the JRE?

Regards, Marc

Reply

Marc Coenegracht

11:12 a.m.

Hi Christian,

So you already knew :)

Very glad to read your answer, the exploitation attempts are already showing up in the logs.

thanks, this helps a lot, Marc

On Mon, 13 Dec 2021, Christian Grün wrote:

Hi Marc,

I was waiting for that question ;)

All fine, BaseX uses a custom logger, as well as Jetty does [1,2].

You may need to check your setup, though, if you use Tomcat as web server or any additional search index applications like Solr or Elasticsearch. ES is only susceptible to information leak, not remote code execution [3].

Hope this helps, Christian

[1] https://docs.basex.org/wiki/Logging [2] https://docs.huihoo.com/jetty/the-definitive-reference/configuring-logging.h... [3] https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnera...

On Mon, Dec 13, 2021 at 4:11 PM Marc Coenegracht marc@crosseyed.nl wrote:

...
Does Basex (9.x or 8.x) use Log4j in any of its components? If not, should one still worry about the JRE?

Regards, Marc

Reply

Jonathan Robie

1:08 p.m.

On Mon, Dec 13, 2021 at 10:18 AM Christian Grün christian.gruen@gmail.com wrote:

I was waiting for that question ;)

Waiting smugly, I gather ;->

Jonathan

Reply

Christian Grün

1:23 p.m.

Waiting smugly, I gather ;->

;) mostly because my last two days were completely taken up with client and user requests on log4j.

A blog article on Open Source software and commercial users, worth reading:

https://blog.filippo.io/professional-maintainers/

Jonathan Robie jonathan.robie@gmail.com schrieb am Mo., 13. Dez. 2021, 19:08:

On Mon, Dec 13, 2021 at 10:18 AM Christian Grün christian.gruen@gmail.com wrote:

...
I was waiting for that question ;)

Jonathan

Reply

1312

Age (days ago)

1312

Last active (days ago)

basex-talk@mailman.uni-konstanz.de

4 comments

3 participants

tags (0)

participants (3)

Christian Grün
Jonathan Robie
Marc Coenegracht