Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[lyo-dev] Fwd: Information about Apache Jena and Log4j2 vulnerability.
FYI 

/Andrew

Begin forwarded message:

From: Andy Seaborne <andy@xxxxxxxxxx>
Subject: Information about Apache Jena and Log4j2 vulnerability.
Date: W49 10 December 2021 at 15:55:29 CET
Reply-To: <users@xxxxxxxxxxxxxxx>

This message is about the effect of CVE-2021-44228 (log4j2) on Fuseki.

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

Jena ships log4j2 in Fuseki and the command line tools.

The vulnerability of log4j2 does impact Fuseki 3.15 - 3.17, and 4.x.

Remote execution is only possible with older versions of Java.

Java versions Java 8u121 and Java 11.0.1, and later, set "com.sun.jndi.rmi.object.trustURLCodebase"
and
"com.sun.jndi.cosnaming.object.trustURLCodebase"

to "false" protecting against remote code execution by default.


The workaround of setting "-Dlog4j2.formatMsgNoLookups=true" works with all affected Fuseki versions:

JVM_ARGS="-Dlog4j2.formatMsgNoLookups=true" ./fuseki-server ....


Note that Apache Jena 4.2.0 addresses an unrelated Jena-specific CVE
https://nvd.nist.gov/vuln/detail/CVE-2021-39239

We will release Jena 4.3.1 with upgraded log4j2.

   Andy
   on behalf of the Jena PMC

Back to the top