| 1 |
On Wed, Dec 15, 2021, 15:40 William Kenworthy <billk@×××××××××.au> wrote: |
| 2 |
|
| 3 |
> I was reading up on log4j and its recent problems and discovered it can |
| 4 |
> "hide" layers deep inside java jar files depending on how its used. |
| 5 |
> |
| 6 |
> I can see that dev-embedded/arduino includes log4j directly (and does it |
| 7 |
> embed log4j in code produced for IoT?): |
| 8 |
> |
| 9 |
> rattus ~ # locate *.jar|grep 4j |
| 10 |
> /usr/share/arduino/lib/log4j-api-2.12.0.jar |
| 11 |
> /usr/share/arduino/lib/log4j-core-2.12.0.jar |
| 12 |
> /usr/share/arduino/lib/slf4j-api-1.7.22.jar |
| 13 |
> /usr/share/arduino/lib/slf4j-simple-1.7.22.jar |
| 14 |
> rattus ~ # |
| 15 |
> |
| 16 |
> BUT there are a lot of other jar files on my systems which have log4j |
| 17 |
> embedded in it. |
| 18 |
> |
| 19 |
These are likely coming in as transitive dependencies from other |
| 20 |
dependencies that might be shaded. Any dependencies pulling log4j need to |
| 21 |
updated. Easier said than done obviously. |
| 22 |
|
| 23 |
> Sylf (not in portage that I can see) seems like it can build an SBOM for a |
| 24 |
> target (Software Bill of Materials) that could identify deeply embedded |
| 25 |
> log4j instances - has anyone used this on a gentoo system (it looks like it |
| 26 |
> needs to specifically target a distro) or is there something |
| 27 |
> easier/better? "strings|grep log4j" works on the arduino jar files but |
| 28 |
> that wont work on propriety encrytpted jar files (such as propriety apps |
| 29 |
> where it may likely be used). And is doing just jar files enough? |
| 30 |
> |
| 31 |
> BillK |
| 32 |
> |
| 33 |
> ** try something like 'find /opt /lib64 /usr/share -name *.jar -print |
| 34 |
> -exec strings {} \; |grep log4j' |
| 35 |
> |
Archives