I am opening this bug to track ports subject to CVE-2021-44228 by including log4j From brooks via plist grep: devel/sonarqube-community/pkg-plist:libexec/sonarqube/elasticsearch/lib/log4j-api-2.11.1.jar devel/sonarqube-community/pkg-plist:libexec/sonarqube/elasticsearch/lib/log4j-core-2.11.1.jar devel/zookeeper/Makefile:LOG4J2_JARS= log4j-api-${ZOOKEEPER_LOG4J2_VERSION}.jar \ devel/zookeeper/Makefile: log4j-core-${ZOOKEEPER_LOG4J2_VERSION}.jar \ devel/zookeeper/Makefile: log4j-slf4j-impl-${ZOOKEEPER_LOG4J2_VERSION}.jar # this is 2.14.1 games/stendhal/pkg-plist:share/stendhal/lib/log4j.jar # ???? misc/openhab/pkg-plist:libexec/openhab/runtime/system/org/ops4j/pax/logging/pax-logging-log4j2/2.0.9/pax-logging-log4j2-2.0.9.jar net-im/openfire/pkg-plist:%%DATADIR%%/lib/log4j-api-2.13.3.jar net-im/openfire/pkg-plist:%%DATADIR%%/lib/log4j-core-2.13.3.jar net-im/openfire/pkg-plist:%%DATADIR%%/lib/log4j-slf4j-impl-2.13.3.jar net-im/signald/pkg-plist:%%DATADIR%%/lib/log4j-api-2.14.0.jar net-im/signald/pkg-plist:%%DATADIR%%/lib/log4j-core-2.14.0.jar # There's a patch to install 2.15, but this is still in the plist net/keycloak/pkg-plist:%%JAVASHAREDIR%%/keycloak/modules/system/layers/base/org/apache/logging/log4j/api/main/log4j-api-2.14.0.jar www/axis2/pkg-plist:%%APPHOME%%/webapps/axis2/WEB-INF/lib/log4j-api-2.14.1.jar www/axis2/pkg-plist:%%APPHOME%%/webapps/axis2/WEB-INF/lib/log4j-core-2.14.1.jar www/axis2/pkg-plist:%%APPHOME%%/webapps/axis2/WEB-INF/lib/log4j-jcl-2.14.1.jar net-p2p/vuze is fine, that's 1.x from devel/log4j
Fixes: port committer commit sysutils/graylog dch 449f35caf83a net-mgmt/unifi6 otis 4fa85ecd3e97 net-im/signald grembo cb7eacee95f1 misc/openhab netchild 3fd54e25cf68 textproc/apache-solr mfechner 7604d31e30b4 net-mgmt/riemann dch aa51fcd1fd6b security/bastillion netchild ef15683d48c1
Apparent second security vulnerability announced today: "It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations ... <snip> ... Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default." https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046 [1] via https://twitter.com/likethecoins/status/1470828794755829765
The following port should also be added: devel/sonarqube-community it is using log4j 2.11.1
(In reply to Matthias Fechner from comment #3) sonarqube seems not to be directly vulnerable: https://community.sonarsource.com/t/sonarqube-sonarcloud-and-the-log4j-vulnerability/54721 but a mitigation can be added to the sonarqube port that is described in this link.
I updated log4j to 2.16 in net-im/signald yesterday, this time also committing pkg-plist, so the build will work again.
I think these are affected too: biology/igv www/archiva
Another issue, https://nvd.nist.gov/vuln/detail/CVE-2021-45105 Corrected in 2.17.0 and 2.12.3
Created attachment 230267 [details] List of log4j related files in port distfiles. This is a list of all files named "*log4j*" in all distfiles of ports in CATETORIES java or USE_JAVA. I used this to generate the list of ports that bundle a potentially vulnerable log4j version.
(In reply to Thomas Zander from comment #8) List of potentially bundled vulnerable versions: > zcat log4j_findings.txt.xz | grep 'log4j-' | grep '\-2.' | cut -d '/' -f 5-6 | sort | uniq biology/jalview databases/opentsdb devel/hadoop2 devel/log4j devel/nexus2-oss devel/pycharm-pro devel/sonarqube-community devel/spark finance/jgnash graphics/geoserver net-mgmt/unifi6 net/kafka net/keycloak net/serviio security/bastillion sysutils/jvmtop sysutils/logstash6 sysutils/logstash7 textproc/apache-solr textproc/elasticsearch6 textproc/elasticsearch7 textproc/opensearch www/archiva www/axis2 www/madsonic The number is less than I imagined, so a second pair or eyes would be good.
(In reply to Thomas Zander from comment #9) The maintainers of the potentially vulnerable ones have been informed. I'll look into the ones without maintainers, but any help in this area is appreciated.
Thomas, your grep pattern is too naive. Affected is only log4j-core. Not anything else containing log4j. Please refine your query. devel/nexus2-oss is not affected, it does not use Log4J in any version, but Logback only.
FTW, Log4J2 contains also a DoS issue on interpolation again. Upgrade to 2.17.0 or migrate to Logback right way.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=14b94af2fcc31362d951bd7b681086b3f3fdce50 commit 14b94af2fcc31362d951bd7b681086b3f3fdce50 Author: Michael Gmelin <grembo@FreeBSD.org> AuthorDate: 2021-12-20 13:11:35 +0000 Commit: Michael Gmelin <grembo@FreeBSD.org> CommitDate: 2021-12-20 13:12:44 +0000 net-im/signald: Update log4j to 2.17 PR: 260421 net-im/signald/Makefile | 8 ++++---- net-im/signald/distinfo | 10 +++++----- net-im/signald/files/patch-build.gradle | 4 ++-- net-im/signald/pkg-plist | 4 ++-- 4 files changed, 13 insertions(+), 13 deletions(-)
Hi, if this is only about CVE-2021-44228, the following of my ports are OK (as per vuln-2021.xml); - openhab (mitigation in a security hotfix) - bastillion (log4j 2.16) - serviio (log4j 2.16) serviio (multimedia/DLNA server) has no new release for log4j 2.17 yet, bastillion just released another update which I will check. For openhab there is a new feature release which I'm working on, which is supposed to have a more recent log4j. Not in vuln.xml, but not affected: - sonarqube-community (bundled elasticsearch was never vulnerable on JDK9+: https://discuss.elastic.co/t/apache-log4j2-remote-code-execution-rce-vulnerability-cve-2021-44228-esa-2021-31/291476) Bye, Alexander.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=274a774af71a4ce55153d3e17e2ed0becc262970 commit 274a774af71a4ce55153d3e17e2ed0becc262970 Author: Alexander Leidinger <netchild@FreeBSD.org> AuthorDate: 2021-12-21 07:56:20 +0000 Commit: Alexander Leidinger <netchild@FreeBSD.org> CommitDate: 2021-12-21 08:03:03 +0000 misc/openhab,+addons: update to 3.2.0 Update to 3.2.0: - https://github.com/openhab/openhab-distro/releases/tag/3.2.0 - switches from log4j mitigation to updated log4j (2.17.0) https://community.openhab.org/t/log4j-vulnerability/129863/73 - add CPE for addons PR: 260421 misc/openhab-addons/Makefile | 7 +- misc/openhab-addons/distinfo | 6 +- misc/openhab/Makefile | 2 +- misc/openhab/distinfo | 6 +- misc/openhab/files/pkg-message.in | 27 ++++ misc/openhab/pkg-plist | 294 +++++++++++++++++++------------------- 6 files changed, 187 insertions(+), 155 deletions(-)
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=99cfda58e74fa40277eb04affffe948ebb5e35ca commit 99cfda58e74fa40277eb04affffe948ebb5e35ca Author: Alexander Leidinger <netchild@FreeBSD.org> AuthorDate: 2021-12-21 09:18:03 +0000 Commit: Alexander Leidinger <netchild@FreeBSD.org> CommitDate: 2021-12-21 09:22:17 +0000 devel/sonarqube-community: update to 9.2.4 This update contains an updated elasticsearch which contains an updated log4j (2.17.0). According to Elastic this is a "feel-good" release to prevent a false positive log4j detection of a scanner. Elasticsearch is not vulnerable in the previously boundled version according to Elaastic, as described in the previous commit. PR: 260421 devel/sonarqube-community/Makefile | 2 +- devel/sonarqube-community/distinfo | 6 ++-- devel/sonarqube-community/pkg-plist | 67 +++++++++++-------------------------- 3 files changed, 23 insertions(+), 52 deletions(-)
Adding @yuri. Seems like biology/igv are ripping out log4j after the 3rd vulnerability[0], so updating the port to the latest version should fix it. [0] https://github.com/igvteam/igv/commit/a49adca7bf795c0a522a7844a6d711bb81a31361 https://github.com/igvteam/igv/releases/tag/v2.11.9
All depends-on bugs have been resolved.