[Opensim-dev] Log4J (Ferd Frederix/Fred Beckhusen)
Teravus Ovares
teravus at gmail.com
Thu Dec 16 02:44:18 UTC 2021
I took a look at the CVEs and neither of them apply to OpenSimulator's use
of it out of the box. That's not to say that it is wise, long term, to
keep this version. There are two CVEs.. one is for a version earlier
than the one in OpenSimulator, the second, someone would have to configure
a special log appender that goes to the Linux Syslog.
Furthermore, if Dependabot had an issue with the library, it would show up
on Pull requests on this project:
https://github.com/opensim/opensim/pulls?q=is%3Aopen+is%3Apr . unless
someone disabled dependabot on the project. it is enabled by default
though.
In other words... Don't panic. You're still safe.
On Wed, Dec 15, 2021 at 3:18 PM Cinder Roxley <cinder at alchemyviewer.org>
wrote:
>
> https://www.cvedetails.com/vulnerability-list.php?vendor_id=45&product_id=7281&version_id=0&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&cweid=0&order=1&trc=2&sha=f70b070c708ceeabfdce6d62f53aef9c82924571
>
> --
> Sent from Canary (https://canarymail.io)
>
> > On Wednesday, Dec 15, 2021 at 5:15 PM, Dahlia Trimble <
> dahliatrimble at gmail.com (mailto:dahliatrimble at gmail.com)> wrote:
> > > Github's Dependabot says very publicly that our Log4Net.dll has an XXE
> > vulnerability.
> >
> > This is eluding my google-fu and I can't find anything about it. Have a
> > link?
> >
> > -D
> >
> > On Wed, Dec 15, 2021 at 10:00 AM Fred Beckhusen <fred at mitsi.com> wrote:
> >
> > > Github's Dependabot says very publicly that our Log4Net.dll has an XXE
> > > vulnerability. That's the issue.
> > >
> > > We don't load Robust.exe.config or Opensim.exe.config with user
> supplied
> > > data, so AFAIK, we don't have a exploitable security issue. But that
> > > may not matter. IT professionals will be much more sensitive to XXE
> > > after their Log4J remediation efforts.
> > >
> > > We all know that the major sponsors of Opensim are Universities. Their
> > > IT departments are under attack.
> > >
> > > ~ Fred
> > >
> > >
> > > _______________________________________________
> > > Opensim-dev mailing list
> > > Opensim-dev at opensimulator.org
> > > http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
> > _______________________________________________
> > Opensim-dev mailing list
> > Opensim-dev at opensimulator.org
> > http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
> _______________________________________________
> Opensim-dev mailing list
> Opensim-dev at opensimulator.org
> http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
>
More information about the Opensim-dev
mailing list