Log4j vulnerability in ODK-X endoint?

Andreas · December 16, 2021, 8:39am

Hello,

By my organisation I have been asked if my servers running ODK-X endpoint are vulnerable to the log4j hack.
I don’t know much about the servers and I would appreciate your help answering this question.

All the best,
Andreas

W_Brunette · December 16, 2021, 4:27pm

Here is the Sync-Endpoint dependencies file:

github.com

odk-x/sync-endpoint/blob/master/pom.xml

<?xml version="1.0"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0   http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <groupId>org.opendatakit</groupId>
    <artifactId>sync-endpoint</artifactId>
    <version>2.1.9</version>
    <packaging>pom</packaging>
    <licenses>
        <license>
            <name>Apache License, Version 2.0</name>
            <url>https://www.apache.org/licenses/LICENSE-2.0.txt</url>
            <distribution>repo</distribution>
            <comments>A business-friendly OSS license</comments>
        </license>
    </licenses>
    <organization>
        <name>ODK-X</name>
        <url>https://odk-x.org/</url>
    </organization>

This file has been truncated. show original

If you search for log4j you can see we are actually excluding it from our logging system as it conflicted and caused problems in the past.

So at a high level it does not appear to have an issue. However, not sure if one of the dependencies sync-endpoint depends on has a dependency deep in it’s code. As new versions come out we will be upgrading.

Emil · December 21, 2021, 3:23pm

Hello,

In addition to Waylon’s comment, the Tomcat server used by sync-endpoint should also not be affected (as per the official Tomcat website: Apache Tomcat® - Apache Tomcat 8 vulnerabilities)

The other application exposed by sync-endpont is Nginx which is written in C and not affected by Log4j.

Best regards,
Emil