Log4j security issue

Payara products don’t use the Log4j library directly, but if your application is using it, we recommend that you upgrade to the latest version of Log4J especially when running on a vulnerable JDK version. See Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package | LunaSec

1 Like

But what I can see in logging.properties files which is located under (payara-5.2021.10\payara5\glassfish\domains\domain1\config) folder is pointing to log4j logger

(log4j.logger.org.hibernate.validator.util.Version=warn)

What I can see that payara internally uses log4j logger for the above hibernate validator util version, Could you please confirm is payara is not affected with log4j with the above property turned on.

It will be great if you provide some clarity on this.

The short answer is no, Payara is not affected with that property turned on.

" Log4j 2 is only a test dependency of Hibernate Validator (being a test dependency, Log4j 2 doesn’t come in your apps through Hibernate Validator so you don’t have to worry about this issue from the Hibernate Validator perspective)"

Their new releases fix the issue of Hibernate Validator being flagged as a false positive.

Hibernate Validator 6.2.1.Final and 7.0.2.Final released - In Relation To

Hi, I’m testing payara micro and ran a scan on the container image to look for vulnerabilities.

I found 3 hits:

I patched the payara micro image to have a version of OpenSSL that is not affected, but I cannot figure out how to replace the affected libraries. Is there a way to replace libraries in Payara Micro or to compile it from source with replaced libraries? Thanks.

Hi @luisdanielmesa,

Thank you for sharing these concerns, this matter is being handled privately via the formal channels

As Payara is open source, the source code is available over on GitHub here for you to compile from source and change the libraries as you wish: Payara

Instructions on how to build Payara Micro can be found within our technical documentation here Overview :: Payara Community Documentation.

Thanks,
James

1 Like

Thank you very much @JamesHillyard . If I fix it, can I create a PR so you guys can check it and perhaps integrate it for others to use or is the process internal still? Thanks again.

Hi @luisdanielmesa,

Absolutely! We always encourage community contributions, if you raise a PR the development team will gladly review the changes.

Thanks,
James

1 Like