[Opensim-dev] Log4J (Ferd Frederix/Fred Beckhusen)
Teravus Ovares
teravus at gmail.com
Thu Dec 16 07:46:38 UTC 2021
Looks like it is moot anyway.
https://github.com/opensim/opensim/commit/da4d4149f03ad5e1240cc05c04800ad445f7fc81
Ubit may have taken care of it for future releases.
On Wed, Dec 15, 2021 at 6:44 PM Teravus Ovares <teravus at gmail.com> wrote:
> I took a look at the CVEs and neither of them apply to OpenSimulator's use
> of it out of the box. That's not to say that it is wise, long term, to
> keep this version. There are two CVEs.. one is for a version earlier
> than the one in OpenSimulator, the second, someone would have to configure
> a special log appender that goes to the Linux Syslog.
>
> Furthermore, if Dependabot had an issue with the library, it would show up
> on Pull requests on this project:
> https://github.com/opensim/opensim/pulls?q=is%3Aopen+is%3Apr . unless
> someone disabled dependabot on the project. it is enabled by default
> though.
>
> In other words... Don't panic. You're still safe.
>
> On Wed, Dec 15, 2021 at 3:18 PM Cinder Roxley <cinder at alchemyviewer.org>
> wrote:
>
>>
>> https://www.cvedetails.com/vulnerability-list.php?vendor_id=45&product_id=7281&version_id=0&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&cweid=0&order=1&trc=2&sha=f70b070c708ceeabfdce6d62f53aef9c82924571
>>
>> --
>> Sent from Canary (https://canarymail.io)
>>
>> > On Wednesday, Dec 15, 2021 at 5:15 PM, Dahlia Trimble <
>> dahliatrimble at gmail.com (mailto:dahliatrimble at gmail.com)> wrote:
>> > > Github's Dependabot says very publicly that our Log4Net.dll has an XXE
>> > vulnerability.
>> >
>> > This is eluding my google-fu and I can't find anything about it. Have a
>> > link?
>> >
>> > -D
>> >
>> > On Wed, Dec 15, 2021 at 10:00 AM Fred Beckhusen <fred at mitsi.com> wrote:
>> >
>> > > Github's Dependabot says very publicly that our Log4Net.dll has an XXE
>> > > vulnerability. That's the issue.
>> > >
>> > > We don't load Robust.exe.config or Opensim.exe.config with user
>> supplied
>> > > data, so AFAIK, we don't have a exploitable security issue. But that
>> > > may not matter. IT professionals will be much more sensitive to XXE
>> > > after their Log4J remediation efforts.
>> > >
>> > > We all know that the major sponsors of Opensim are Universities. Their
>> > > IT departments are under attack.
>> > >
>> > > ~ Fred
>> > >
>> > >
>> > > _______________________________________________
>> > > Opensim-dev mailing list
>> > > Opensim-dev at opensimulator.org
>> > > http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
>> > _______________________________________________
>> > Opensim-dev mailing list
>> > Opensim-dev at opensimulator.org
>> > http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
>> _______________________________________________
>> Opensim-dev mailing list
>> Opensim-dev at opensimulator.org
>> http://opensimulator.org/cgi-bin/mailman/listinfo/opensim-dev
>>
>
More information about the Opensim-dev
mailing list