profile
viewpoint
rombaum ZB MED - Information Centre for Life Sciences Bonn, Germany https://orcid.org/0000-0001-5246-9351

rombaum/bioschemas.github.io 0

Files for the Bioschemas website.

rombaum/DataTablesSrc 0

DataTables source repository

rombaum/go-site 0

A collection of metadata, tools, and files associated with the Gene Ontology public web presence.

rombaum/OLS 0

Ontology Lookup Service from SPOT at EBI

rombaum/opal-doc 0

Opal documentation

issue commentEBISPOT/OLS

Log4j security issues

Hi @udp

thank for your reply. First of all that sounds good. But I found this:

Log4j version 1.x is not directly vulnerable, because it does not offer a JNDI look up mechanism. However, Log4j 1.x comes with JMSAppender, which will perform a JNDI lookup if enabled in Log4j's configuration file (i.e., log4j.properties or log4j.xml). Thus, an attacker who can write to an application's Log4j configuration file can perform a remote code execution attack whenever Log4j 1.x reads its malicious configuration file. Source: https://www.technology.pitt.edu/content/additional-guidance-regarding-log4j-vulnerability

Is the JMSAppender disabled in OLS/OxO?

rombaum

comment created time in a month

issue openedEBISPOT/OLS

Log4j security issues

Dear OLS team, Dear @henrietteharmse, Dear @udp,

did you think there are any problems in context of the Log4j security issues for OLS? OLS is using an older version of Apache Solr. As far as I know that is a problem because Solr uses Log4j. That sounds for me it could be critical to use OLS.

So is there a way to upgrade or disable this functionality to get rid of the risk of this issue?

I'm looking forward,

Roman

created time in a month

more