JanusGraph Security Vulnerability -- Using Log4j 2.8.2 with JanusGraph


Graphs <manas...@...>
 

Hello JanusGraph Development Team

JanusGraph is using Apache log4j. 1.2.x which seems to have security vulnerabilities with deserialization of untrusted data. This will hinder the adoption of JanusGraph due to security reasons.

https://snyk.io/test/github/JanusGraph/janusgraph
https://snyk.io/vuln/SNYK-JAVA-LOG4J-572732

It seems Log4j 2.8.2 and later versions have resolved this vulnerability. See this: https://logging.apache.org/log4j/2.x/security.html

Is it possible to use Log4j 2.8.2 or above with JanusGraph?

~Graphs

Join janusgraph-users@lists.lfaidata.foundation to automatically receive all group messages.