log4j 1.2.17 in mvn dependency:tree, upgrade Jena version #52
Description
LodView has a transitive dependency on log4j 1.2.17 included from Apache Jena 2.13.0, see below.
According to https://logging.apache.org/log4j/1.2/:
A security vulnerability, CVE-2019-17571 has been identified against Log4j 1. Log4j includes a SocketServer that accepts serialized log events and deserializes them without verifying whether the objects are allowed or not. This can provide an attack vector that can be expoited. Since Log4j 1 is no longer maintained this issue will not be fixed. Users are urged to upgrade to Log4j 2.
However it is very important to not use a Jena version that depends on Log4j 2 < 2.15.0, as this suffers from an arguably even worse security vulnerability, see https://logging.apache.org/log4j/2.x/index.html.
The current latest version depends on log4j2 2.14.1. Thus, this current version should thus not be used:
<dependency>
<groupId>org.apache.jena</groupId>
<artifactId>apache-jena-libs</artifactId>
<version>4.3.0</version>
<type>pom</type>
</dependency>However according to https://github.com/apache/jena/commits/jena-4.3.1, this seems to be fixed in Jena 4.3.1. Thus I will not create a pull request just yet and recommend waiting until Jena 4.3.1 is officially released and available on Maven central and then using that if it doesn't break anything.
$ mvn dependency:tree
[...]
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ lodview ---
[WARNING] The artifact xml-apis:xml-apis:jar:2.0.2 has been relocated to xml-apis:xml-apis:jar:1.0.b2
[INFO] lodview:lodview:war:1.2.1-SNAPSHOT
[INFO] +- org.apache.jena:apache-jena-libs:pom:2.13.0:compile
[INFO] | +- org.apache.jena:jena-tdb:jar:1.1.2:compile
[INFO] | | +- org.apache.jena:jena-arq:jar:2.13.0:compile
[INFO] | | | +- org.apache.httpcomponents:httpclient:jar:4.2.6:compile
[INFO] | | | | +- org.apache.httpcomponents:httpcore:jar:4.2.5:compile
[INFO] | | | | \- commons-codec:commons-codec:jar:1.6:compile
[INFO] | | | +- com.github.jsonld-java:jsonld-java:jar:0.5.1:compile
[INFO] | | | | +- com.fasterxml.jackson.core:jackson-core:jar:2.3.3:compile
[INFO] | | | | \- com.fasterxml.jackson.core:jackson-databind:jar:2.3.3:compile
[INFO] | | | | \- com.fasterxml.jackson.core:jackson-annotations:jar:2.3.0:compile
[INFO] | | | +- org.apache.httpcomponents:httpclient-cache:jar:4.2.6:compile
[INFO] | | | +- org.apache.thrift:libthrift:jar:0.9.2:compile
[INFO] | | | \- org.apache.commons:commons-csv:jar:1.0:compile
[INFO] | | \- org.apache.jena:jena-core:jar:2.13.0:compile
[INFO] | | +- org.apache.jena:jena-iri:jar:1.1.2:compile
[INFO] | | \- xerces:xercesImpl:jar:2.11.0:compile
[INFO] | | \- xml-apis:xml-apis:jar:1.4.01:compile
[INFO] | +- org.slf4j:slf4j-log4j12:jar:1.7.6:compile
[INFO] | \- log4j:log4j:jar:1.2.17:compile
[INFO] +- org.springframework:spring-context:jar:4.2.4.RELEASE:compile
[INFO] | +- org.springframework:spring-aop:jar:4.2.4.RELEASE:compile
[INFO] | | \- aopalliance:aopalliance:jar:1.0:compile
[INFO] | +- org.springframework:spring-beans:jar:4.2.4.RELEASE:compile
[INFO] | +- org.springframework:spring-core:jar:4.2.4.RELEASE:compile
[INFO] | \- org.springframework:spring-expression:jar:4.2.4.RELEASE:compile
[INFO] +- org.springframework:spring-webmvc:jar:4.2.4.RELEASE:compile
[INFO] | \- org.springframework:spring-web:jar:4.2.4.RELEASE:compile
[INFO] +- org.slf4j:slf4j-api:jar:1.7.1:compile
[INFO] +- org.slf4j:jcl-over-slf4j:jar:1.7.1:compile
[INFO] +- ch.qos.logback:logback-classic:jar:1.0.7:compile
[INFO] | \- ch.qos.logback:logback-core:jar:1.0.7:compile
[INFO] +- javax.servlet:javax.servlet-api:jar:3.0.1:provided
[INFO] +- javax.servlet.jsp:jsp-api:jar:2.1:provided
[INFO] +- javax.servlet.jsp.jstl:jstl-api:jar:1.2:compile
[INFO] +- org.glassfish.web:jstl-impl:jar:1.2:compile
[INFO] +- org.apache.commons:commons-lang3:jar:3.3.1:compile
[INFO] \- org.springframework.boot:spring-boot-starter-integration:jar:1.1.4.RELEASE:compile
[INFO] +- org.springframework.boot:spring-boot-starter:jar:1.1.4.RELEASE:compile
[INFO] | +- org.springframework.boot:spring-boot:jar:1.1.4.RELEASE:compile
[INFO] | +- org.springframework.boot:spring-boot-autoconfigure:jar:1.1.4.RELEASE:compile
[INFO] | +- org.springframework.boot:spring-boot-starter-logging:jar:1.1.4.RELEASE:compile
[INFO] | | +- org.slf4j:jul-to-slf4j:jar:1.7.7:compile
[INFO] | | \- org.slf4j:log4j-over-slf4j:jar:1.7.7:compile
[INFO] | \- org.yaml:snakeyaml:jar:1.13:runtime
[INFO] +- org.springframework.boot:spring-boot-starter-aop:jar:1.1.4.RELEASE:compile
[INFO] | +- org.aspectj:aspectjrt:jar:1.8.1:compile
[INFO] | \- org.aspectj:aspectjweaver:jar:1.8.1:compile
[INFO] +- org.springframework:spring-messaging:jar:4.0.6.RELEASE:compile
[INFO] +- org.springframework:spring-tx:jar:4.0.6.RELEASE:compile
[INFO] +- org.springframework.integration:spring-integration-core:jar:4.0.2.RELEASE:compile
[INFO] | \- org.springframework.retry:spring-retry:jar:1.1.0.RELEASE:compile
[INFO] +- org.springframework.integration:spring-integration-file:jar:4.0.2.RELEASE:compile
[INFO] | \- commons-io:commons-io:jar:2.4:compile
[INFO] +- org.springframework.integration:spring-integration-http:jar:4.0.2.RELEASE:compile
[INFO] | \- net.java.dev.rome:rome-fetcher:jar:1.0.0:compile
[INFO] | +- jdom:jdom:jar:1.0:compile
[INFO] | +- net.java.dev.rome:rome:jar:1.0.0:compile
[INFO] | \- commons-httpclient:commons-httpclient:jar:3.0.1:compile
[INFO] +- org.springframework.integration:spring-integration-ip:jar:4.0.2.RELEASE:compile
[INFO] \- org.springframework.integration:spring-integration-stream:jar:4.0.2.RELEASE:compile
[INFO] ------------------------------------------------------------------------