Archives
Archives
| From: | William Kenworthy <billk@×××××××××.au> |
|---|---|
| To: | "gentoo-user@l.g.o" <gentoo-user@l.g.o> |
| Subject: | [gentoo-user] log4j |
| Date: | Wed, 15 Dec 2021 23:40:14 |
| Message-Id: | b5f49090-daa8-39a1-0a03-feca725a9c9f@iinet.net.au |
| 1 | |
| 2 | |
| 3 | |
| 4 | |
| 5 | |
| 6 | |
| 7 | I was reading up on log4j and its recent problems and discovered |
| 8 | it can "hide" layers deep inside java jar files depending on how |
| 9 | its used. |
| 10 | I can see that dev-embedded/arduino includes log4j directly (and |
| 11 | does it embed log4j in code produced for IoT?): |
| 12 | rattus ~ # locate *.jar|grep 4j |
| 13 | /usr/share/arduino/lib/log4j-api-2.12.0.jar |
| 14 | /usr/share/arduino/lib/log4j-core-2.12.0.jar |
| 15 | /usr/share/arduino/lib/slf4j-api-1.7.22.jar |
| 16 | /usr/share/arduino/lib/slf4j-simple-1.7.22.jar |
| 17 | rattus ~ # |
| 18 | |
| 19 | BUT there are a lot of other jar files on my systems which have |
| 20 | log4j embedded in it. |
| 21 | Sylf (not in portage that I can see) seems like it can build an |
| 22 | SBOM for a target (Software Bill of Materials) that could identify |
| 23 | deeply embedded log4j instances - has anyone used this on a gentoo |
| 24 | system (it looks like it needs to specifically target a distro) or |
| 25 | is there something easier/better?�� "strings|grep log4j" works on |
| 26 | the arduino jar files but that wont work on propriety encrytpted |
| 27 | jar files (such as propriety apps where it may likely be used).�� |
| 28 | And is doing just jar files enough? |
| 29 | |
| 30 | BillK |
| 31 | ** try something like 'find /opt /lib64 /usr/share -name *.jar |
| 32 | -print -exec strings {} \; |grep log4j' |
| 33 | |
| 34 | |
| 35 | |
| 36 | |
| 37 |
| Subject | Author |
|---|---|
| Re: [gentoo-user] log4j | "Andrey F." <ma3oxuct@×××××.com> |