Clarification over status regarding CVE-2021-44228
Gaibhne opened this issue · comments
It would be nice if we could get some official word on whether this repository is affect by the catastrophic CVE-2021-44228 that is currently affecting a considerable percentage of softwares around the globe. From my limited understanding and looking at the refreshingly concise list of dependencies in the pom.xml
, I would think this project is not affected, but I and probably others who are not familiar with the projects internals would appreciate an official word.
ps.: I understand that typically, it wouldn't make much sense to comment on every CVE that doesn't affect a product, but considering the severity and pervasiveness of this particular issue, maybe an exception is warranted.
Sure, no problem.
We've put a note here to confirm that PlantUML is not affected by this vulnerability.
You have a short discussion here.
The core library PlantUML.jar does not use log4j at all, so no worry here.
The webserver (so the jar file and the docker) was using log4j, but only in one single JUnit test case. So no logging was actually done in the deployed server. We have simply removed this dependency in our last commit.
So you don't need to worry about this CVE concerning PlantUML and you don't need to update.
Since we are talking about security, if you are running PlantUML on a server connected to the internet, you must read this page to set up your PLANTUML_SECURITY_PROFILE
to the appropriate value (probably INTERNET
).
Thank you for the fast response. We run our server internally only (but use the INTERNET security profile), but still did not want to potentially leave open holes of this magnitude :D
I apologize for not checking the main page first, I noticed no commits and no open issues regarding the CVE (I didn't realize about the -server
repository) and did not think to look any further.
I noticed this issue is now being linked to, so I will leave it open for further questions unless you prefer to close it.
Are there any plans to update the docker image at docker hub? Our IT department sees the log4j vulnerability popping up in the Azure security audits for this container image.
We've just updated the docker image (v1.2021.17).
It should be fine now, tell us if it's not.