Uploaded image for project: 'TinkerPop'
  1. TinkerPop
  2. TINKERPOP-2534

Log4j flagged as critical security violation

VotersWatch issueWatchersLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Done
    • 3.4.10
    • 3.6.0
    • console, server
    • None

    Description

      Gremlin server and console include log4j 1.2, which end-of-life'd > 5 years ago. 

      Security scanning software (twistlock), flags log4j 1.2 as a critical security violation, and hence prohibits deployment.

      CRITICAL:
      Attack complexity: low,Attack vector: network,Critical severity,Remote execution
      CVE-2019-17571
      [+https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-17571+]

      Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

       

      Is there a plan to remove log4j 1.2 so that installation of either gremlin server or console do not include the jars that trigger this security issue?

      Attachments

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            spmallette Stephen Mallette
            Snoddy Dan Snoddy
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment