Uploaded image for project: 'TinkerPop'
  1. TinkerPop
  2. TINKERPOP-2534

Log4j flagged as critical security violation

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Done
    • 3.4.10
    • 3.6.0
    • console, server
    • None

    Description

      Gremlin server and console include log4j 1.2, which end-of-life'd > 5 years ago. 

      Security scanning software (twistlock), flags log4j 1.2 as a critical security violation, and hence prohibits deployment.

      CRITICAL:
      Attack complexity: low,Attack vector: network,Critical severity,Remote execution
      CVE-2019-17571
      [+https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-17571+]

      Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

       

      Is there a plan to remove log4j 1.2 so that installation of either gremlin server or console do not include the jars that trigger this security issue?

      Attachments

        Issue Links

          Activity

            People

              spmallette Stephen Mallette
              Snoddy Dan Snoddy
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: