Uploaded image for project: 'TinkerPop'
  1. TinkerPop
  2. TINKERPOP-2534

Log4j flagged as critical security violation

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Done
    • 3.4.10
    • 3.6.0
    • console, server
    • None

    Description

      Gremlin server and console include log4j 1.2, which end-of-life'd > 5 years ago. 

      Security scanning software (twistlock), flags log4j 1.2 as a critical security violation, and hence prohibits deployment.

      CRITICAL:
      Attack complexity: low,Attack vector: network,Critical severity,Remote execution
      CVE-2019-17571
      [+https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-17571+]

      Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

       

      Is there a plan to remove log4j 1.2 so that installation of either gremlin server or console do not include the jars that trigger this security issue?

      Attachments

        Issue Links

          relates to

          Improvement - An improvement or enhancement to an existing feature or task. TINKERPOP-1983 Update Log4j to Log4j2

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Activity

            People

              spmallette Stephen Mallette
              Snoddy Dan Snoddy
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: