Subscribe for automatic updates: RSS icon RSS

Login icon Sign in for full access | Help icon Help
Advanced search

Pages: [1]
  Reply  |  Print  
Author Topic: Log4J Vulnerability  (Read 1864 times)
Martha R.
Posts: 4


« on: September 09, 2024, 09:16:05 pm »

Good Afternoon, 

We've been contacted by a client concerned about the log4j-1.2.13.jar vulnerabilities:

For CVE-2021-44228:  In a previous post, you mentioned this jar is outside the version range that contains the vulnerability.
For CVE-2022-23305 (Deserialization of Untrusted Data in JMSAppender) :  In the same post, you mentioned that you don't use JMSAppender

But what about CVE-2022-23307 - Chainsaw ? 

Also, the customer is asking why gre is using a jar file that has been end-of-life for quite some time now.   

Thanks,

Martha

Reuben B.
Four Js
Posts: 1116


« Reply #1 on: September 10, 2024, 01:46:21 am »

What versions of our products are you looking at?

Reuben

Product Consultant (Asia Pacific)
Developer Relations Manager (Worldwide)
Author of https://4js.com/ask-reuben
Contributor to https://github.com/FourjsGenero
Christine R.
Four Js
Posts: 443


« Reply #2 on: September 10, 2024, 10:25:32 am »

Hello Martha,

FourJs has upgraded log4j to version 2.17.1 since the versions 3.10.17, 3.20.18, 4.00.05 and 5.00.00 of GRE.
Maybe your customers is using an older version.

Best regards,

Christine HEIM-REBIERE
FourJs Customer Care
Martha R.
Posts: 4


« Reply #3 on: September 10, 2024, 02:01:47 pm »

Hi Christine,

Thanks a lot for replying to my post.

Our customer is running a Genero Runtime version 3.10.  Our new version of our software runs in the Genero version 4.01 which has the newer jar versions. 

I'm just wondering if you can provide me with any information regarding vulnerability CVE-2022-23307 - Chainsaw.  Do you guys use it?  Or Can I tell the customer that vulnerability is nothing they need to worry about it.

Thanks,

Martha
Christine R.
Four Js
Posts: 443


« Reply #4 on: September 10, 2024, 02:15:42 pm »

Hi Martha,

As said before, we encourage you to update your version of the report writer to the latest maintenance release version.
Regarding the vulnerability CVE-2022-23307 Chainsaw, from the description (see below), it is located in the component Chainsaw which is a gui based log viewer. We don't make use of that in our product. 
https://nsfocusglobal.com/apache-log4j-deserialization-and-sql-injection-vulnerability-cve-2022-23302-cve-2022-23305-cve-2022-23307-alert/
I hope this will help you.
 
Best regards,

Christine
Martha R.
Posts: 4


« Reply #5 on: September 10, 2024, 05:21:00 pm »

Hi Christine,

Thank you so much for replying to my posts. 

We use the Genero Report Writer but we don't create reports with Java.  If we don't use java, so we don't need to worry about the log4j-1.2.13.jar vulnerabilities.   Or even if we don't write reports with Java, genero report writer uses it internally.

Thanks,

Martha
Martha R.
Posts: 4


« Reply #6 on: September 11, 2024, 01:24:56 pm »

Hi Christine,

I apologize but I'm trying to understand the vulnerability.  I understand our customer is in an old version but I want to know if we don't use Java to write reports, are these vulnerabilities an issue ?  Or Can I say to the customer you don't need to worry since we don't use java to write the reports.

Thanks,

Martha
Reuben B.
Four Js
Posts: 1116


« Reply #7 on: September 16, 2024, 04:27:17 am »

Hi Martha,

I know you have got the answer you sought via a question to the support portal.  Just a reminder to you and everyone that if you need an answer quickly, support portal should be your preferred method of communication.  Support portal communication triggers timers associated with our Service Level Agreements, raising a question in the forum for others in the community to answer does not.

To help provide some closure to the forum community  for your question ...

Genero Report Writer uses Java.  If you look inside GREDIR/bin/greportwriter, GREDIR/bin/printerinfo etc you will see that it executes a java application.  If you have ever seen a Genero Report Writer error message, you will recognise it as a Java error message (long and exposing the stack) as opposed to a 2 line 4gl error message.  It is also why distributed mode has the performance advantage it does due to not starting/stopping multiple JVM.   If you look inside GREDIR/lib/jars you will a number of .jar Java archives including log4j.  There are 70+ .jar files, do we use every single piece functionality in all of those 70+ .jar files?, answer is no.  We don't want to get in positions where we are saying this old version is save to use because we don't use a particular piece of functionality in a .jar.

One of the reasons we encourage customers to be in the habit of updating and remaining up to date with Genero versions is so that they are also up to date with any 3rd party libraries that we use.  GRE 3.10.17  was released in January 2022 https://forum.4js.com/fjs_forum/index.php?topic=1748.msg5675#msg5675.   Martha answer suggested that her customer was on a version older than 3.10.17, so older than January 2022.  That customer is therefore missing out on at leat 2.5 years of security updates and bug fixes.

Reuben


 

Product Consultant (Asia Pacific)
Developer Relations Manager (Worldwide)
Author of https://4js.com/ask-reuben
Contributor to https://github.com/FourjsGenero
Pages: [1]
  Reply  |  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines