Is Nikita affected by the recent Log4J2 Vulnerability?

Mon Jan 10 11:40:14 CET 2022

Svarer innline!

  - Thomas

On 1/10/22 5:28 AM, Ole Aamot wrote:
> Hei igjen Thomas,
>
> [ Domeneshop markerte meldingen din som spam, så jeg videresender 
> denne på nytt
>   til mailinglisten i håp om at den kommer frem til alle som er 
> affektert av
>   spam-filter-policy'en deres som markerer legitime meldinger som 
> Junk.  Sjekk
>   Junk-mappen av og til dersom du benytter webmail.domeneshop.no til å 
> lese epost.
>   (Jeg får dessverre ikke gjort noe på spamfilter-policy på Domeneshop 
> siden jeg
>   aldri hadde tilgang til epostservere på Domeneshop og ikke lenger 
> har tilgang
>   til Domeneshop admin, og anbefaler ellers Host1 DA til domener. 
> https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.host1.no%2F&amp;data=04%7C01%7Ctsodring%40oslomet.no%7Ca7b34be3ba2140c159ab08d9d3f1998e%7Cfec81f12628645508911f446fcdafa1f%7C0%7C0%7C637773856899541281%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=L%2F788h24%2BorxOvXsBGLnyXV7h%2BiLKu45zR%2F7Twsv7AA%3D&amp;reserved=0 
>
> ]
>
OsloMet sin MS mailserver markerte din melding til listen som spam også! 
klapp klapp!

> Vet du om Log4j2 sikkerhetshullet er fikset nå i Maven (2.17.1)?
>
> https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flogging.apache.org%2Flog4j%2F2.x%2Fmaven-artifacts.html&amp;data=04%7C01%7Ctsodring%40oslomet.no%7Ca7b34be3ba2140c159ab08d9d3f1998e%7Cfec81f12628645508911f446fcdafa1f%7C0%7C0%7C637773856899541281%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=JBOGfHu2CuNDsdBQKDeZjgntbd2xmGG4UHHSrlRbSoY%3D&amp;reserved=0 
>
>

Det vet jeg ikke. Min anbefaling er at man bruker maven >= 3. Jeg har 
ikke kapasitet til å lese meg opp på tidligere versjoner. Har heller 
ikke fått med med at bruken av maven i nikita er et sikkerhetsrisiko i 
forhold til log4j. Jeg oppfatter at det er tjenester som kjører på nett 
som problematisk. maven eksponeres ikke mot Internett

> Historisk melding fra NSM om Apache log4j:
>
> https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnsm.no%2Ffagomrader%2Fdigital-sikkerhet%2Fnasjonalt-cybersikkerhetssenter%2Fvarsler-fra-ncsc%2Futvidet-oppdatering-for-apache-log4j-cve-2021-44228&amp;data=04%7C01%7Ctsodring%40oslomet.no%7Ca7b34be3ba2140c159ab08d9d3f1998e%7Cfec81f12628645508911f446fcdafa1f%7C0%7C0%7C637773856899541281%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=delEc0h3cZCiquX0eB2iO42akPB%2BtbGyeR3iHF6JQO4%3D&amp;reserved=0 
>
>
> ---
> Mvh,
> Ole Aamot
> ole at aamotsoftware.no
> Aamot Software - en NHO-registrert IT-bedrift
> https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.aamotsoftware.no%2F&amp;data=04%7C01%7Ctsodring%40oslomet.no%7Ca7b34be3ba2140c159ab08d9d3f1998e%7Cfec81f12628645508911f446fcdafa1f%7C0%7C0%7C637773856899541281%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=AfkDWDSr%2BYKK9hT5F5QwYQPmaVXcsle7sumzrkMODz4%3D&amp;reserved=0 
>
>
> On 2021-12-15 10:57, Thomas Sødring wrote:
>> Hi,
>>
>> With the recent news about the log4j2 vulnerability I was asked if
>> nikita was affected. Initially, I did not believe it was. spring.io had
>> an announcement that spring with default configuration is not affected.
>>
>> https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fspring.io%2Fblog%2F2021%2F12%2F10%2Flog4j2-vulnerability-and-spring-boot&amp;data=04%7C01%7Ctsodring%40oslomet.no%7Ca7b34be3ba2140c159ab08d9d3f1998e%7Cfec81f12628645508911f446fcdafa1f%7C0%7C0%7C637773856899541281%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=j1qGWv0eQJU0SeIZBAR8xy7CsLUyC%2FMQYswKyKFfjSI%3D&amp;reserved=0 
>>
>>
>> However java dependency management introduces lots of related
>> dependencies. I am unsure how these dependencies are vulnerable.
>>
>> I have taken the recommended steps to mitigate this problem. I will
>> document our approach here:
>>
>> https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgitlab.com%2FOsloMet-ABI%2Fnikita-noark5-core%2F-%2Fissues%2F207&amp;data=04%7C01%7Ctsodring%40oslomet.no%7Ca7b34be3ba2140c159ab08d9d3f1998e%7Cfec81f12628645508911f446fcdafa1f%7C0%7C0%7C637773856899541281%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=v30d1yT0QjkT2e0SqlLCCk8g3qoQ%2B1Sbr0n7eZH%2FJTs%3D&amp;reserved=0
>>
>> Currently there are only 4 dependencies left before we can rule out if
>> nikita is vulnerable or not.
>>
>> The nikita test instance (api and gui) has been pulled off the general
>> internet by Oslomet and is only available to those that connect to the
>> Oslomet vpn. I expect this situation to continue for a number of weeks.
>>
>>   - Thomas
>> _______________________________________________
>> nikita-noark mailing list
>> nikita-noark at nuug.no
>> https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.nuug.no%2Fmailman%2Flistinfo%2Fnikita-noark&amp;data=04%7C01%7Ctsodring%40oslomet.no%7Ca7b34be3ba2140c159ab08d9d3f1998e%7Cfec81f12628645508911f446fcdafa1f%7C0%7C0%7C637773856899541281%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=Vqo0oOQri5me9PTuSGRFQeFMTGht1IXcsu%2Brxvh%2BrMI%3D&amp;reserved=0 
>>