Log4j security issue

Marketing · December 10, 2021, 1:44pm

Payara products don’t use the Log4j library directly, but if your application is using it, we recommend that you upgrade to the latest version of Log4J especially when running on a vulnerable JDK version. See Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package | LunaSec

mohammed · January 4, 2022, 11:28am

But what I can see in logging.properties files which is located under (payara-5.2021.10\payara5\glassfish\domains\domain1\config) folder is pointing to log4j logger

(log4j.logger.org.hibernate.validator.util.Version=warn)

What I can see that payara internally uses log4j logger for the above hibernate validator util version, Could you please confirm is payara is not affected with log4j with the above property turned on.

It will be great if you provide some clarity on this.

Marketing · January 6, 2022, 2:15pm

The short answer is no, Payara is not affected with that property turned on.

" Log4j 2 is only a test dependency of Hibernate Validator (being a test dependency, Log4j 2 doesn’t come in your apps through Hibernate Validator so you don’t have to worry about this issue from the Hibernate Validator perspective)"

Their new releases fix the issue of Hibernate Validator being flagged as a false positive.

Hibernate Validator 6.2.1.Final and 7.0.2.Final released - In Relation To

luisdanielmesa · July 13, 2022, 9:27pm

Hi, I’m testing payara micro and ran a scan on the container image to look for vulnerabilities.

I found 3 hits:

GHSA-v57x-gxfj-484q regarding com.hazelcast:hazelcast
CVE-2022-2068 regarding OpenSSL
CVE-2021-31684 regarding net.minidev:json-smart

I patched the payara micro image to have a version of OpenSSL that is not affected, but I cannot figure out how to replace the affected libraries. Is there a way to replace libraries in Payara Micro or to compile it from source with replaced libraries? Thanks.

JamesHillyard · July 15, 2022, 2:10pm

Hi @luisdanielmesa,

Thank you for sharing these concerns, this matter is being handled privately via the formal channels

As Payara is open source, the source code is available over on GitHub here for you to compile from source and change the libraries as you wish: Payara

Instructions on how to build Payara Micro can be found within our technical documentation here Overview :: Payara Community Documentation.

Thanks,
James

luisdanielmesa · July 15, 2022, 6:42pm

Thank you very much @JamesHillyard . If I fix it, can I create a PR so you guys can check it and perhaps integrate it for others to use or is the process internal still? Thanks again.

JamesHillyard · July 18, 2022, 8:11am

Hi @luisdanielmesa,

Absolutely! We always encourage community contributions, if you raise a PR the development team will gladly review the changes.

Thanks,
James

Topic		Replies	Views
“Spring4Shell” vulnerability & Payara Platform Announcements	0	307	April 6, 2022
Spring4Shell Vulnerability General	2	250	April 12, 2022
Is payara subsceptible to CVE-2022-31197 Technical Discussion	1	241	August 17, 2022
How to post and follow security issue General security	1	253	March 9, 2022
Payara micro community Java8 support Payara Micro release	2	204	May 2, 2023

Log4j security issue

Related Topics