Home > Software design >  Is R-Package h2o affected by log4j-vulnerability? (and how to solve)
Is R-Package h2o affected by log4j-vulnerability? (and how to solve)

Time:12-16

A vulnerability of log4j became public. Amongst other packages, I am using R shiny and h2o packages. I already found out, that shiny is not affected by the vulnerability, since it uses log4js(see https://github.com/log4js-node/log4js-node/issues/1105), which is an implementation in Javascript.

Now we come to h2o. I know that this package provides an API to the h2o-framework in Java. In the documentation of building h2o from source from github (see https://h2o-release.s3.amazonaws.com/h2o/rel-noether/4/docs-website/developuser/quickstart_git.html), i found along the lines

javac -source 1.6 -target 1.6 -sourcepath src/main/java -classpath
"../lib/log4j/log4j-1.2.15.jar:../target/h2o.jar:../lib/hadoop/mapr2.1.3/hadoop-0.20.2-dev-core.jar"
-d classes/mapr2.1.3 src/main/java/water/hadoop/*.java
warning: [options] bootstrap class path not set in conjunction with -source 1.6
1 warning
jar cf target/h2odriver_mapr2.1.3.jar -C classes/mapr2.1.3 .
make build_inner HADOOP_VERSION=cdh3
mkdir classes/cdh3
javac -source 1.6 -target 1.6 -sourcepath src/main/java -classpath
"../lib/log4j/log4j-1.2.15.jar:../target/h2o.jar:../lib/hadoop/cdh3/hadoop-core-0.20.2-cdh3u6.jar" -d
classes/cdh3 src/main/java/water/hadoop/*.java
warning: [options] bootstrap class path not set in conjunction with -source 1.6
1 warning
jar cf target/h2odriver_cdh3.jar -C classes/cdh3 .
make build_inner HADOOP_VERSION=cdh4
mkdir classes/cdh4
javac -source 1.6 -target 1.6 -sourcepath src/main/java -classpath
"../lib/log4j/log4j-1.2.15.jar:../target/h2o.jar:../lib/hadoop/cdh4/hadoop-common.jar:../

It seems like h2o is using log4j, but I don't know much about Java and its dependencies.

Can anyone with more knowledge clearify whether the h2o-package is affected by the log4j vulnerability? And if so, how to solve or workaround this?

Thank you very much in advance.

CodePudding user response:

A jar file is just a compressed folder with a different name. You can explore your packages looking for this information.

H2Os official statement, including affected versions and recommendations: https://www.h2o.ai/security/bulletins/h2o-2021-001/

CodePudding user response:

As stated on https://logging.apache.org/log4j/2.x/security.html Log4J 1.x versions are not affected by this vulnerability. And it seems that h2o is using log4j-1.2.15.jar so you are okay.

Page link:https//www.codepudding.com/Softwaredesign/229518.html

Prev:Swift 5. Display array from the 2nd tableview cell ( 2nd indexpath.row )
Next:How to find vulnerable log4j programs on a Windows 10 PC and how to provide first-aid when I cannot
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding