Log4J on Linux & Windows

john.ho · December 10, 2021, 10:39pm

In regarding to Log4J issue - https://www.wired.com/story/log4j-flaw-hacking-internet/https://www.wired.com/story/log4j-flaw-hacking-internet/

From the Thread “Java Zero Day Question” Kevin.Herron mentioned
7.9 and 8.x don’t use Log4J.

But
I have Ignition 7.9 on Debian Linux
I see
./etc/ignition/log4j.properties
./var/lib/ignition/data/log4j.properties

is the Ignition 8.x on Windows and Linux are using the same logback ? so we can cross out
Ignition 8.x

For Ignition 7.9 Windows, how do we check for Log4J?

Tks
John

Kevin.Herron · December 10, 2021, 10:41pm

Nothing to worry about, we don't use log4j as the logging backend. The log4j.properties files are artifacts from the past and are not used.

john.ho · December 10, 2021, 10:44pm

Excellent, Thanks Kevin.

So we can ignore both Windows and Linux based Ignition for both 7.9 and 8.1

Tks

J.

Kevin.Herron · December 10, 2021, 10:45pm

Yes, should be good to go. The last version of Ignition that used log4j was 7.8, and it used something like log4j version 1.2.x, which isn’t affected by this CVE.

Those who snoop around may find an artifact called log4j-over-slf4j, but this just a bridge that let us move from log4j to slf4j/logback without modifying every single file that had used a log4j logger.

John_Leiska · December 13, 2021, 8:56pm

I would like to be 100% certain on this topic…can this please be clarified? The following library is running on our test and production Ignition servers. It is not part of this CVE?

/usr/local/bin/ignition/lib/core/common/log4j-over-slf4j-1.7.26.jar

Thank you in advance!

lrose · December 13, 2021, 8:58pm

As @Kevin.Herron said, this is just a bridge that let them move from log4j to slf4j easily.