Re: Janusgraph-full-0.6.1: how to fix "WARNING: Critical severity vulnerabilities were found with Log4j!"


Yingjie Li
 

Hello Jan,
Thanks for the pointers. I downloaded the last build based on the link you provided.  I unzipped janusgraph-full-1.0.0-SNAPSHOT.zip and tried starting Janusgraph and gremlin.sh, both worked. I removed  log4j-1.2.17.jar, restarted janusgraph, and ran gremlin.sh, but failed.
Does it mean  log4j-1.2.17 is still used somehow and if so, how to disable it?

Thanks.

Yingjie



On Fri, Sep 16, 2022 at 10:08 AM Jansen, Jan via lists.lfaidata.foundation <Jan.jansen=gdata.de@...> wrote:
Hi Yingjie,

You can also download our latest artifacts from github action. https://github.com/JanusGraph/janusgraph/actions/workflows/ci-release.yml?query=branch%3Amaster+is%3Acompleted

Just go to the last build and download distribution-builds.

Greetings,
Jan

From: janusgraph-users@... <janusgraph-users@...> on behalf of hadoopmarc via lists.lfaidata.foundation <hadoopmarc=xs4all.nl@...>
Sent: Friday, September 16, 2022 2:30 PM
To: janusgraph-users@... <janusgraph-users@...>
Subject: Re: [janusgraph-users] Janusgraph-full-0.6.1: how to fix "WARNING: Critical severity vulnerabilities were found with Log4j!"
 
Hi Yingjie,

As edited in my previous reaction, the Cassandra jars in the JanusGraph distribution do not include the log4j jar. As to elasticsearch, your best choices are:
  1. not use mixed indices (check whether your application needs them)
  2. build JanusGraph for the current master branch, as already suggested by Boxuan above. The master branch has a patched Elasticsearch version 7.17

Best wishes,    Marc

Join janusgraph-users@lists.lfaidata.foundation to automatically receive all group messages.