Comments (6)
More information from log4j, https://logging.apache.org/log4j/2.x/security.html two CVEs specifically we're safe from, and one that does apply in non standard configuration
Log4j 1.x does not have Lookups so the risk is lower. Applications using Log4j 1.x are only vulnerable to this attack when they use JNDI in their configuration. A separate CVE (CVE-2021-4104) has been filed for this vulnerability. To mitigate: Audit your logging configuration to ensure it has no JMSAppender configured. Log4j 1.x configurations without JMSAppender are not impacted by this vulnerability.
from apollo.
https://www.openwall.com/lists/oss-security/2021/12/13/1 does affect 1.2.X but it seems to only do so in unusual configurations
from apollo.
this was essentially my assessment as well, that we sort of "dodged a bullet" on this log4j issue by using log4x 1.x which is only vulnerable in a non-default configuration. I ran apollo through a security scanner tool and found that we use the older log4j 1.x instead of 2.x which has the highest vulnerability scale
security scan here
https://gist.github.com/cmdcolin/df8e92fe3e82fb2856b5c08d90bf4a32
it would likely still be valuable to update dependencies
from apollo.
Oh that's quite a list. yeah might be time. Thanks for the confirmation @cmdcolin !!
from apollo.
I looked a bit into what it would take to update dependencies to address some of the security concerns. Most of the dependencies are part of the Grails distribution, so the way to update the dependencies is to update Grails. Apollo is using Grails 2.5.5, and updating to more recent Grails version (current is 5.1.1) would be an extensive effort. For example, here is the migration guide from Grails 2 to 3: https://docs.grails.org/3.0.0/guide/single.html#upgrading
There seems to be some way of manually specifying dependencies described here, but it's not clear how exactly to generate that list, and it's all-or-nothing, you have to manually specify all the dependencies manually or none of them. Also, Grails 2 dependes on a lot of old versions of packages that might not be getting security updates anyway.
There is also a way to swap out the logging library specifically here, but since the versions of Log4j being used isn't as vulnerable, it's probably not as high a priority as some of the other dependencies.
from apollo.
v2.7.0 released with updated log4j to safe version. it was likely in a non-vulnerable configuration by default anyways but the upgrade was requested by @childers
xref
#2654
from apollo.
Related Issues (20)
- Unable to delete uploaded track
- Apollo 2.6.5 Upgrade Issue HOT 2
- Ref Sequence tab get stuck HOT 1
- GUI creates index
- GUI allows to modify tracks
- GUI allows to change tracks order
- Apollo Search tab to get a parameter box HOT 1
- Apollo Search tab shows alignment and picture
- Unable to create combination tracks HOT 2
- imported annotations not populating annotations tab HOT 12
- Get gene sequence HOT 2
- CDS features not appearing when written via annotations._check_write HOT 1
- Upgrade to more modern versions of dependencies? HOT 3
- Add pop up to Fmin and Fmax radial button area in annotator panel
- How to install Apollo in Windows?
- [Feature request] Update owner info from web services
- Download all the manual curation history from Apollo? HOT 1
- new install error? HOT 2
- High vulnerability caused by Apache Shiro HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from apollo.