Is KNIME working on remediating/upgrading the log4j 0-day exploit?
I see the following in my installation:
C:\Program Files\KNIME\plugins\org.apache.xmlbeans5_5.0.0.v202104291535\lib\log4j-core-2.14.0.jar
Is there a way to remove this plugin until a fix is available?
Hi @ajackson and welcome to the Knime community.
Indeed, this needs to be fixed.
In your case, are you using Knime as a server serving external users? If not, then you should be fine.
This is used for logging, and to exploit that vulnerability, you would need to log a special character submitted by the attacker. If you are not using Knime as a server, noone is submitting anything to you as you are not serving anyone.
I’m not - just locally on my workstation. In that case I’m just hoping our IT security doesn’t get over-zealous in block/removing it unilaterally across all systems.
Thanks for the quick reply! =)
Neither KNIME Server nor KNIME Analytics Platform (in any version) are affected by this issue. Either it is not using log4j at all or an older version is used that does not have the problem. The log4j 2 reference you found is only used by XMLBeans but this cannot be exploited.
Moreover recent Java versions are also not affected by it in any case.
Are you really sure? I am not.
We are currently preparing an “official” statement. But to the best of our knowledge none of our software is affected by these issues, neither the recent log4j 2 issue nor the older log4j 1 issues.
where can i find the official statement, when published?
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.