#i2p-dev (irc2p) | 2.7.0-1 | 2.8.0 Release Discussion: http://i2pforum.i2p/viewtopic.php?t=1301

#i2p-dev

/2021/12/11

Online: 57

@eyedeekay

&kytv

&zzz

+Anomaly

+R4SAS

+RN

+RN_

+T3s|4

+acetone

+hk

+orignal

+postman

+weko

+wodencafe

Arch

Danny

DeltaOreo

FreeRider

FreefallHeavens

Irc2PGuest12106

Irc2PGuest32754

Irc2PGuest77854

Nausicaa

Onn4l7h

Onn4|7h

Over1

Sisyphus

Sleepy_

Soni

T3s|4_

Teeed

aargh1

anon2

b3t4f4c3

bak83

boonst

cancername

cumlord

dr4wd3

dr|z3d

eyedeekay_bnc

hagen_

itsjustme

khb

mittwerk

not_bob_afk

plap

poriori

profetikla

r3med1tz

rapidash

shiver_

solidx66

u5657_1

uop23ip

w8rabbit

x74a6

AmyMalik is i2p affected by the log4j RCE, i.e. does i2p feed lines not wholly under its control to log4j?

dr|z3d AmyMalik: no.

AmyMalik No as in, i2p does not use log4j+

AmyMalik ?*

dr|z3d correct.

AmyMalik awesome

AmyMalik Irc2PGuest35925:

AmyMalik wodey, your id is leaking

zzz eche|off, 12 hours after your question (and my answer) I got on twitter for the first time today and learned why you asked about log4j

zzz somebody should have pulled the damn fire alarm and told somebody (me) what was going on

zzz or somebody like zab who could also have investigated

zzz in particular there's also the plugins that need to be gone through

zzz bote and jwebcache appear to use it

zzz although both appear to be using ancient non-vulnerable version

zzz you all failed collectively to either do your own research or give me any info on a potential crisis

AmyMalik ;-;

zzz the question is not 'does i2p use log4j' but 'do we or any of our dependencies (jetty, tomcat, etc) or any plugin or any of their dependencies or any other i2p java application or their dependencies use it'

zzz oh and by the way drop EVERYTHING else to answer the question

AmyMalik i should've gone looking.. ;-;

AmyMalik sorry zzz ;-;

zzz y'all can use grep just as well as I can :)

eyedeekay Just sent you an email zzz

eyedeekay The only jar I see it in is jetty-i2p.jar

eyedeekay This JNDI lookups thing, does it even have any value to us?

eyedeekay I checked in a change to log4j.properties to disable it but I'll back it out if it should stay on

zzz - where do you see it in jetty-i2p.jar?

zzz - how does your change protect our users?

zzz and if you think that change does protect users, then we should be doing an emergency release tonight, right?

eyedeekay In a config file named log4j.properties and I don't think anything else

eyedeekay I'm not convinced we're directly vulnerable to this one

eyedeekay But the change should protect users from the class of vulnerability "JNDI Injection" in log4j by disabling the corresponding feature, "JNDI lookups"

eyedeekay If we were to be vulnerable, I think the most obvious way would be if the eepSite was configured to log headers somehow, and they recieved a header containing the crafted string

zzz I could have spent all day on this if eche or anybody had told me. a little late now

zzz your change looks harmless

zzz I haven't found any problems yet

zzz bote and jwebcache come the closest

zzz but haven't checked to see what jetty and tomcat and ant have to say on the topic

eyedeekay I had a look at jetty, it's difficult to follow but I don't think jetty 9.3.29 with our configuration will use log4j

eyedeekay Apparently jetty<10 uses it's own logging thing: stackoverflow.com/a/25794109

eyedeekay But I don't know for sure, it would appear that if slf4j is in the classpath, it might use slf4j which might in turn be using log4j

zzz I'm pretty confident that jetty and tomcat are in the clear. if you folks would like to survey all the known plugins that would be great

zzz so far all i've found is bote and jwebcache on 1.x

zzz *** afk ***

eyedeekay I will keep looking, agree with you so far

dr|z3d > Java 8u121 protects against RCE by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false".

eyedeekay unzipped and grepped all the plugin files I have

eyedeekay only other log4j user I found was pebble, which uses log4j 1.2.15 which is not affected.

eyedeekay Further it is already anti-recommended due to vulnerabilities in pebble 2.4

dr|z3d pebble's dead, jim!

eyedeekay Yeah I'm pretty sure it won't even work

dr|z3d speaking of blogs, lektor's another interesting static bog generator which the torproject's migrating over to.

dr|z3d getlektor.com

eyedeekay Ooh. That doesn't look bad at all for a blog

dr|z3d thought it might tickle you :)

eyedeekay As long as I can convince it HOME=$HOME/.i2p/plugins/lektor in some way I don't see it being too challenging to pluginize

eyedeekay Apparently by default it installs itself to a place determined by the user's $HOME

Pajamas i need to take a shower

Pajamas but im too lazy too :(

dr|z3d lektor or publii.. nice to have choices :)

zzz log4j thread: zzz.i2p/topics/3214

val_ zzz: I've added wrapper.java.additional.5=-Dlog4j2.formatMsgNoLookups=true to my wrapper.config