Upgrade LOG4J?

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Upgrade LOG4J?

jyeakley
Are there any plans to upgrade the version of LOG4J used from 1.2.16?
Reply | Threaded
Open this post in threaded view
|

Re: Upgrade LOG4J?

Jiba
Administrator
Do you mean, upgrade the LOG4J included in the Java reasoner with Owlready ?

I prefer to avoid upgrading them because each recompilation of the reasoners is tedious and has a risk of breaking compatibility (if it is compiled with a newer version of Java).

Jiba
Reply | Threaded
Open this post in threaded view
|

Re: Upgrade LOG4J?

jyeakley
Looks like it is included as part of Pellet. This version of LOG4J is super old and has many vulnerabilities associated to it.
Reply | Threaded
Open this post in threaded view
|

Re: Upgrade LOG4J?

Jiba
Administrator
Are there some serious vulnerabilities ? I mean, LOG4J is for logging purpose, so I would not expect it to be so dangerous... Is there really a risk, especially since the Java part cannot be directly accessed in Owlready.

Are recent version fully retrocompatible ? Pellet is actually super old too.
Reply | Threaded
Open this post in threaded view
|

Re: Upgrade LOG4J?

jyeakley
Yes, here are all the CVEs listed for that version:
CVE-2019-17571,CVE-2020-9488,CVE-2022-23302,CVE-2022-23305,CVE-2022-23307

These will get flagged on a scan. Additionally, be careful if you do upgrade to go to a later version to avoid the Log4Shell vulnerability.
Reply | Threaded
Open this post in threaded view
|

Re: Upgrade LOG4J?

Jiba
Administrator
Ok, I've upgrade to LOG4J 2.19.0 in the development version.

Jiba