cromwell icon indicating copy to clipboard operation
cromwell copied to clipboard

Published 20 hours ago verified publisher icon broadinstitute

Is Cromwell affected by log4shell ?

Open ynedelec opened this issue 2 years ago • 5 comments

A simple grep through the source code reveals several hits with Log4j:

CromwellRefdiskManifestCreator/pom.xml:            <groupId>org.apache.logging.log4j</groupId>
CromwellRefdiskManifestCreator/pom.xml:            <artifactId>log4j-core</artifactId>
CromwellRefdiskManifestCreator/pom.xml:            <groupId>org.apache.logging.log4j</groupId>
CromwellRefdiskManifestCreator/pom.xml:            <artifactId>log4j-api</artifactId>
CromwellRefdiskManifestCreator/src/main/java/org/broadinstitute/manifestcreator/CromwellRefdiskManifestCreatorApp.java:import org.apache.logging.log4j.Level;
CromwellRefdiskManifestCreator/src/main/java/org/broadinstitute/manifestcreator/CromwellRefdiskManifestCreatorApp.java:import org.apache.logging.log4j.LogManager;
CromwellRefdiskManifestCreator/src/main/java/org/broadinstitute/manifestcreator/CromwellRefdiskManifestCreatorApp.java:import org.apache.logging.log4j.Logger;
CromwellRefdiskManifestCreator/src/main/java/org/broadinstitute/manifestcreator/CromwellRefdiskManifestCreatorApp.java:import org.apache.logging.log4j.core.config.Configurator;
project/Dependencies.scala:    // Replace all log4j usage with slf4j
project/Dependencies.scala:    // https://www.slf4j.org/legacy.html#log4j-over-slf4j
project/Dependencies.scala:    "org.slf4j" % "log4j-over-slf4j" % slf4jV

I wasn't able to expose a vulnerability by using malicious code but my test is probably not extensive. It looks like this lib is used in a packaging tool of Cromwell so probably not executed during production. On the other hand, slj4j seems to be used everywere. Is that abstraction layer vulnerable ?

Could you please let us know if you believe Cromwell is affected by Log4shell ?

Thanks,

ynedelec avatar Dec 13 '21 12:12 ynedelec

I have the same question.

trum994 avatar Dec 13 '21 16:12 trum994

I am dealing with this problem too, this page might be helpful: http://slf4j.org/log4shell.html

natechols avatar Dec 13 '21 16:12 natechols

Cromwell may be vulnerable in certain configurations. This is being looked into.

We recommend the immediate remedy of disabling the vulerable feature of Log4j:

‐Dlog4j2.formatMsgNoLookups=True

Source.

aednichols avatar Dec 13 '21 17:12 aednichols

Cromwell itself does not use Log4j.

This can be verified by executing sbt dependencyTree and noting that all instances of "log4j" occur in org.slf4j:log4j-over-slf4j which is a Log4j compatibility bridge from a different project.

The utility tool CromwellRefdiskManifestCreator is written in Java and does use Log4j. It is not included in the Cromwell JAR. It is being updated presently.

aednichols avatar Dec 14 '21 23:12 aednichols

We redundantly re-verified the absence of the problem class [0] by unzipping the shipping Cromwell JAR and manually checking that the path is empty.

[0] org/apache/logging/log4j/core/lookup/JndiLookup.class

aednichols avatar Dec 17 '21 19:12 aednichols