New 0-day Log4j Vulnerability

Is KNIME working on remediating/upgrading the log4j 0-day exploit?
I see the following in my installation:
C:\Program Files\KNIME\plugins\org.apache.xmlbeans5_5.0.0.v202104291535\lib\log4j-core-2.14.0.jar

Is there a way to remove this plugin until a fix is available?


Hi @ajackson and welcome to the Knime community.

Indeed, this needs to be fixed.

In your case, are you using Knime as a server serving external users? If not, then you should be fine.

This is used for logging, and to exploit that vulnerability, you would need to log a special character submitted by the attacker. If you are not using Knime as a server, noone is submitting anything to you as you are not serving anyone.


I’m not - just locally on my workstation. In that case I’m just hoping our IT security doesn’t get over-zealous in block/removing it unilaterally across all systems.
Thanks for the quick reply! =)


Neither KNIME Server nor KNIME Analytics Platform (in any version) are affected by this issue. Either it is not using log4j at all or an older version is used that does not have the problem. The log4j 2 reference you found is only used by XMLBeans but this cannot be exploited.
Moreover recent Java versions are also not affected by it in any case.


Are you really sure? I am not.

  1. What version of log4j does KNIME (as executor in KNIME server) use? If it is log4j 1.x, then we may have a problem according to Log4j – Apache Log4j Security Vulnerabilities :
    “Please note that Log4j 1.x has reached end of life and is no longer supported. Vulnerabilities reported after August 2015 against Log4j 1.x were not checked and will not be fixed. Users should upgrade to Log4j 2 to obtain security fixes.”
  2. And it seems that newer JRE do not prevent the problem according to Kritische Zero-Day-Lücke in Log4j gefährdet zahlreiche Server und Apps | heise online :
    “[Update 13.12.2021 07:45 Uhr] Das Apache-Projekt hat den Hinweis entfernt, dass die Java-Version Java 8u121 dem Problem abhelfe. Wir haben das in Meldung angepasst.”

We are currently preparing an “official” statement. But to the best of our knowledge none of our software is affected by these issues, neither the recent log4j 2 issue nor the older log4j 1 issues.


where can i find the official statement, when published?

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.