Comments (4)
- The log4j-vulnerability belongs to "log4j Versions Affected: all versions from 2.0-beta9 to 2.14.1" which is described here: https://logging.apache.org/log4j/2.x/security.html
There is also written, that the mitigation would be:
- In releases >=2.10, ...
- For releases from 2.0-beta9 to 2.10.0, remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
--> Which gave me indirectly the information, that the "vulnerability" is placed in the "org/apache/logging/log4j/core/lookup/JndiLookup.class".
Ok, this is what I have done right now to check, if my app uses "log4j" (or at least if it has included this class):
- I build a "fat jar" of my app via "maven package"
- I extracted all files from within that jar into an folder in my filesystem
- I searched in that folder for "log4j"
... I did not find the path "org/apache/logging/log4j" and also no class named "JndiLookup.class" in that path.
Which, indirectly should mean, that my ninja-app is not affected to this specific "security vulnerability"?
Thanks for help and best regards
from ninja.
@raphaelbauer as the main contributor of ninjaframework, any thoughts about that issue?
thanks and best regards
from ninja.
We use Ninja extensively in our public-facing and internal apps and based on our review, we have NO log4j exposure.
However, Ninja is simply a framework and someone could go out of their way to force log4j use thru switching out of Ninja's default logback logger. So, its best to check yourself as well. However, if you're using Ninja out of the box, you should be all set.
from ninja.
Good to hear that and thanks for your answer!
cheers
from ninja.
Related Issues (20)
- NPE in Ninja when trying to render error message HOT 2
- SuperDevMode issue on VirtualBox "Shared Folder"
- How to return HttpServletResponse
- Is it still active? / Looking for maintainers? HOT 2
- Problem using Validation & DTO (v6.8.1) HOT 1
- Issue with deployed WAR : Application seems run twice HOT 1
- Websockets are not initialised error HOT 3
- dependency scope setting issues
- Retrieve url path from template
- Ninja 6.9.0 : Configure Jetty ThreadPool HOT 1
- Code optimization suggestions
- Does anyone use it to build microservices
- Test Smell: it is not a good practice to write return statement in test case
- X-Forwarded-For does an insecure internal DNS lookups for user-provided hosts
- How to integrate socket into ninja and start it with ninja program, not websocket
- Some flaky tests
- Exclude field from depths (nested relation) on create_schema function
- org.hibernate.HibernateException: HHH000142: Javassist Enhancement failed: models.Article
- Insecure Cookie Encryption due to usage of insecure mode of operation when doing AES cipher
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ninja.