Security vulnerability in log4j - KNIME software not affected

Thanks a lot for your quick answer. I will forward it and see what happens.

Best,
Lars

@thor after updating to KNIME 4.5.1 in the library/folder

\knime_4.5.0\plugins\org.apache.xmlbeans5_5.0.0.v202104291535\lib\
org.apache.xmlbeans5_5.0.0.v202104291535

I (still?) find these files:

log4j-api-2.14.0.jar
log4j-core-2.14.0.jar

Should they (or the whole folder) be deleted? Since there is a folder with a newer version

org.apache.xmlbeans5_5.0.0.v202201100917

log4j-api-2.17.1.jar
log4j-core-2.17.1.jar

As recommended the line in the knime.ini is in place:

-Dlog4j2.formatMsgNoLookups=true

Eclipse does not immediately delete older versions of plug-ins. Usually they are gone after the second-next update. The older versions are not used any more though. It should be possible to delete them by hand but no warranty here.

3 Likes

I went ahead and moved those 2 jars in the bin. KNIME still starts and it ran a minor WF no problem.
If that’s any help :upside_down_face:

2 Likes

I deleted the whole folder structure and it seems to still work, although I have not done much testing yet.

2 Likes

I would not expect any problems during runtime because as I mentioned it’s not used any more anyway. But there may be problems when you install/update something the next time and the framework tries to finally delete it and it’s gone already. But maybe it’s also not an issue at all.

3 Likes

Hi,

I see that the new 4.6.0 version has just been made available.

I’ve checked the release notes, but I see no mention regarding replacing log4j version 1. Could you please give an update on this subject?

Kind regards,
Theo

We have updated Log4j to version 1.2.21, see the changelog.

AP-18431: Update of log4j-1.2.15 to 1.2.21 (reload4j)

2 Likes