janusgraph-users@lists.lfaidata.foundation | Janusgraph-full-0.6.1: how to fix "WARNING: Critical severity vulnerabilities were found with Log4j!"

Home Messages Hashtags Subgroups Calendar

Date Date 1 - 20 of 22

Janusgraph-full-0.6.1: how to fix "WARNING: Critical severity vulnerabilities were found with Log4j!"

Yingjie Li #6592 Hello All, I have run janusgraph all in one 0.6.1 (janusgraph-full-0.6.1) and have embeded cassandra and elastic search. It seems that the embeded log4j has security issues and the recomended fixes as as below. Any people have done this for their installation, what are the recommended fix ? Thanks Yingjie 1. Upgrade the affected product listed below to a version which includes a patched version of log4j – CISO requires all version 1.x and 2.x to be upgraded to version 2.17.1 or later. 2. If upgrade is not possible, the affected component must be uninstalled or deleted.
More All Messages By This Member
hadoopmarc@... #6593 Edited Hi Yingjie, The JanusGraph and TinkerPop code only explicitly depend on slfj4j, so you can choose the logging implementation. you want You can simply remove the log4j-1.2.17.jar from the lib folder of the janusgraph binary distribution or exclude it in the pom.xml of any project depending on janusgraph. Note that janusgraph also ships with logback and provides a sample config in conf/logback.xml. Best wishes, Marc
More All Messages By This Member
Yingjie Li #6614 On Sat, Aug 20, 2022 at 09:28 AM, <hadoopmarc@...> wrote: The JanusGraph and TinkerPop code only explicitly depend on slfj4j, so you can choose the logging implementation. you want You can simply remove the log4j-1.2.17.jar from the lib folder of the janusgraph binary distribution or exclude it in the pom.xml of any project depending on janusgraph. Note that janusgraph also ships with logback and provides a sample config in conf/logback.xml. Hello Marc, If I remove log4j-1.2.17.jar from the lib directory of janusgraph distribution, say janusgraph-full-0.6.2/lib,then the janusgraph server can not be started. Below is the error message, and there is no janusgraph.log writen out. Am I missing anything? Thanks, Yingjie ...... Forking Cassandra... Running `nodetool statusbinary`.... OK (returned exit status 0 and printed string "running"). Forking Elasticsearch... Connecting to Elasticsearch (127.0.0.1:9200)....... OK (connected to 127.0.0.1:9200). Forking JanusGraph-Server... Connecting to JanusGraph-Server (127.0.0.1:8182)............................. timeout exceeded (60 seconds): could not connect to 127.0.0.1:8182 See janusgraph install directory/bin/../logs/janusgraph.log for JanusGraph-Server log output.
More All Messages By This Member
hadoopmarc@... #6615 Hi Yingjie, My suggestion was incomplete. In addition to removing the log4j-1.2.17.jar file from the lib folder, you have to remove the slf4j-log4j12-1.7.30.jar file as well. Otherwise, JanusGraph server starts looking for the log4j jar and crashes, as you found out. Best wishes, Marc
More All Messages By This Member
Yingjie Li #6619 Hello Marc, Yes. Now it works! Thanks Yingjie toggle quoted message Show quoted text On Fri, Sep 9, 2022 at 4:08 PM <hadoopmarc@...> wrote: Hi Yingjie, My suggestion was incomplete. In addition to removing the log4j-1.2.17.jar file from the lib folder, you have to remove the slf4j-log4j12-1.7.30.jar file as well. Otherwise, JanusGraph server starts looking for the log4j jar and crashes, as you found out. Best wishes, Marc
More All Messages By This Member
Yingjie Li #6623 Hello Marc, Actually my previous testing was incomplete. After removing those two log4j related jar files from the lib directory, I can start elasticsearch, cassandra and Janusgraph server successfully. But I got exception when running ./bin/gremlin.sh as below. What other changes do I need to make? Thanks, Yingjie ./bin/gremlin.sh \,,,/ (o o) -----oOOo-(3)-oOOo----- plugin activated: tinkerpop.server plugin activated: tinkerpop.tinkergraph 08:55:29 WARN org.apache.hadoop.util.NativeCodeLoader - Unable to load native-hadoop library for your platform... using builtin-java classes where applicable Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/log4j/Level at org.apache.hadoop.mapred.JobConf.<clinit>(JobConf.java:357) at java.lang.Class.forName0(Native Method) at java.lang.Class.forName(Class.java:348) at org.apache.hadoop.conf.Configuration.getClassByNameOrNull(Configuration.java:2306) at org.apache.hadoop.util.ReflectionUtils.setJobConf(ReflectionUtils.java:94) at org.apache.hadoop.util.ReflectionUtils.setConf(ReflectionUtils.java:78) at org.apache.hadoop.util.ReflectionUtils.newInstance(ReflectionUtils.java:136) at org.apache.hadoop.security.Groups.<init>(Groups.java:106) at org.apache.hadoop.security.Groups.<init>(Groups.java:102) at org.apache.hadoop.security.Groups.getUserToGroupsMappingService(Groups.java:450) at org.apache.hadoop.security.UserGroupInformation.initialize(UserGroupInformation.java:314) at org.apache.hadoop.security.UserGroupInformation.ensureInitialized(UserGroupInformation.java:281) at org.apache.hadoop.security.UserGroupInformation.loginUserFromSubject(UserGroupInformation.java:837) at org.apache.hadoop.security.UserGroupInformation.getLoginUser(UserGroupInformation.java:807) at org.apache.hadoop.security.UserGroupInformation.getCurrentUser(UserGroupInformation.java:680) at org.apache.hadoop.fs.FileSystem$Cache$Key.<init>(FileSystem.java:2978) at org.apache.hadoop.fs.FileSystem$Cache$Key.<init>(FileSystem.java:2968) at org.apache.hadoop.fs.FileSystem$Cache.get(FileSystem.java:2830) at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:389) at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:181) at org.apache.tinkerpop.gremlin.hadoop.jsr223.HadoopGremlinPlugin.lambda$static$0(HadoopGremlinPlugin.java:121) at org.apache.tinkerpop.gremlin.jsr223.LazyBindingsCustomizer.getBindings(LazyBindingsCustomizer.java:56) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:101) at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:323) at org.codehaus.groovy.runtime.metaclass.MethodMetaProperty$GetBeanMethodMetaProperty.getProperty(MethodMetaProperty.java:76) at org.codehaus.groovy.runtime.callsite.GetEffectivePojoPropertySite.getProperty(GetEffectivePojoPropertySite.java:63) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callGetProperty(AbstractCallSite.java:298) at org.apache.tinkerpop.gremlin.console.PluggedIn$_activate_closure1.doCall(PluggedIn.groovy:67) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:101) at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:323) at org.codehaus.groovy.runtime.metaclass.ClosureMetaClass.invokeMethod(ClosureMetaClass.java:263) at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1041) at groovy.lang.Closure.call(Closure.java:405) at groovy.lang.Closure.call(Closure.java:421) at org.codehaus.groovy.runtime.DefaultGroovyMethods.each(DefaultGroovyMethods.java:2136) at org.codehaus.groovy.runtime.dgm$181.invoke(Unknown Source) at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite$PojoMetaMethodSiteNoUnwrapNoCoerce.invoke(PojoMetaMethodSite.java:244) at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite.call(PojoMetaMethodSite.java:53) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:127) at org.apache.tinkerpop.gremlin.console.PluggedIn.activate(PluggedIn.groovy:59) at org.apache.tinkerpop.gremlin.console.PluggedIn$activate.call(Unknown Source) at org.apache.tinkerpop.gremlin.console.Console$_closure18.doCall(Console.groovy:149) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:101) at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:323) at org.codehaus.groovy.runtime.metaclass.ClosureMetaClass.invokeMethod(ClosureMetaClass.java:263) at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1041) at groovy.lang.Closure.call(Closure.java:405) at groovy.lang.Closure.call(Closure.java:421) at org.codehaus.groovy.runtime.DefaultGroovyMethods.each(DefaultGroovyMethods.java:2330) at org.codehaus.groovy.runtime.DefaultGroovyMethods.each(DefaultGroovyMethods.java:2315) at org.codehaus.groovy.runtime.DefaultGroovyMethods.each(DefaultGroovyMethods.java:2356) at org.codehaus.groovy.runtime.dgm$186.invoke(Unknown Source) at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite$PojoMetaMethodSiteNoUnwrapNoCoerce.invoke(PojoMetaMethodSite.java:244) at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite.call(PojoMetaMethodSite.java:53) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:47) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:115) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:127) at org.apache.tinkerpop.gremlin.console.Console.<init>(Console.groovy:147) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.codehaus.groovy.reflection.CachedConstructor.invoke(CachedConstructor.java:80) at org.codehaus.groovy.runtime.callsite.ConstructorSite$ConstructorSiteNoUnwrapNoCoerce.callConstructor(ConstructorSite.java:105) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallConstructor(CallSiteArray.java:59) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callConstructor(AbstractCallSite.java:237) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callConstructor(AbstractCallSite.java:265) at org.apache.tinkerpop.gremlin.console.Console.main(Console.groovy:524) Caused by: java.lang.ClassNotFoundException: org.apache.log4j.Level at java.net.URLClassLoader.findClass(URLClassLoader.java:382) at java.lang.ClassLoader.loadClass(ClassLoader.java:418) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:355) at java.lang.ClassLoader.loadClass(ClassLoader.java:351) ... 80 more toggle quoted message Show quoted text On Fri, Sep 9, 2022 at 4:08 PM <hadoopmarc@...> wrote: Hi Yingjie, My suggestion was incomplete. In addition to removing the log4j-1.2.17.jar file from the lib folder, you have to remove the slf4j-log4j12-1.7.30.jar file as well. Otherwise, JanusGraph server starts looking for the log4j jar and crashes, as you found out. Best wishes, Marc
More All Messages By This Member
Yingjie Li #6637 Just wondering if anybody has a fix for this? The security issue is a roadblock for us to continue using Janusgraph in our project. Thanks toggle quoted message Show quoted text On Mon, Sep 12, 2022 at 9:01 AM Yingjie Li via lists.lfaidata.foundation <yingjie.li=gmail.com@...> wrote: Hello Marc, Actually my previous testing was incomplete. After removing those two log4j related jar files from the lib directory, I can start elasticsearch, cassandra and Janusgraph server successfully. But I got exception when running ./bin/gremlin.sh as below. What other changes do I need to make? Thanks, Yingjie ./bin/gremlin.sh \,,,/ (o o) -----oOOo-(3)-oOOo----- plugin activated: tinkerpop.server plugin activated: tinkerpop.tinkergraph 08:55:29 WARN org.apache.hadoop.util.NativeCodeLoader - Unable to load native-hadoop library for your platform... using builtin-java classes where applicable Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/log4j/Level at org.apache.hadoop.mapred.JobConf.<clinit>(JobConf.java:357) at java.lang.Class.forName0(Native Method) at java.lang.Class.forName(Class.java:348) at org.apache.hadoop.conf.Configuration.getClassByNameOrNull(Configuration.java:2306) at org.apache.hadoop.util.ReflectionUtils.setJobConf(ReflectionUtils.java:94) at org.apache.hadoop.util.ReflectionUtils.setConf(ReflectionUtils.java:78) at org.apache.hadoop.util.ReflectionUtils.newInstance(ReflectionUtils.java:136) at org.apache.hadoop.security.Groups.<init>(Groups.java:106) at org.apache.hadoop.security.Groups.<init>(Groups.java:102) at org.apache.hadoop.security.Groups.getUserToGroupsMappingService(Groups.java:450) at org.apache.hadoop.security.UserGroupInformation.initialize(UserGroupInformation.java:314) at org.apache.hadoop.security.UserGroupInformation.ensureInitialized(UserGroupInformation.java:281) at org.apache.hadoop.security.UserGroupInformation.loginUserFromSubject(UserGroupInformation.java:837) at org.apache.hadoop.security.UserGroupInformation.getLoginUser(UserGroupInformation.java:807) at org.apache.hadoop.security.UserGroupInformation.getCurrentUser(UserGroupInformation.java:680) at org.apache.hadoop.fs.FileSystem$Cache$Key.<init>(FileSystem.java:2978) at org.apache.hadoop.fs.FileSystem$Cache$Key.<init>(FileSystem.java:2968) at org.apache.hadoop.fs.FileSystem$Cache.get(FileSystem.java:2830) at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:389) at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:181) at org.apache.tinkerpop.gremlin.hadoop.jsr223.HadoopGremlinPlugin.lambda$static$0(HadoopGremlinPlugin.java:121) at org.apache.tinkerpop.gremlin.jsr223.LazyBindingsCustomizer.getBindings(LazyBindingsCustomizer.java:56) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:101) at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:323) at org.codehaus.groovy.runtime.metaclass.MethodMetaProperty$GetBeanMethodMetaProperty.getProperty(MethodMetaProperty.java:76) at org.codehaus.groovy.runtime.callsite.GetEffectivePojoPropertySite.getProperty(GetEffectivePojoPropertySite.java:63) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callGetProperty(AbstractCallSite.java:298) at org.apache.tinkerpop.gremlin.console.PluggedIn$_activate_closure1.doCall(PluggedIn.groovy:67) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:101) at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:323) at org.codehaus.groovy.runtime.metaclass.ClosureMetaClass.invokeMethod(ClosureMetaClass.java:263) at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1041) at groovy.lang.Closure.call(Closure.java:405) at groovy.lang.Closure.call(Closure.java:421) at org.codehaus.groovy.runtime.DefaultGroovyMethods.each(DefaultGroovyMethods.java:2136) at org.codehaus.groovy.runtime.dgm$181.invoke(Unknown Source) at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite$PojoMetaMethodSiteNoUnwrapNoCoerce.invoke(PojoMetaMethodSite.java:244) at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite.call(PojoMetaMethodSite.java:53) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:127) at org.apache.tinkerpop.gremlin.console.PluggedIn.activate(PluggedIn.groovy:59) at org.apache.tinkerpop.gremlin.console.PluggedIn$activate.call(Unknown Source) at org.apache.tinkerpop.gremlin.console.Console$_closure18.doCall(Console.groovy:149) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:101) at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:323) at org.codehaus.groovy.runtime.metaclass.ClosureMetaClass.invokeMethod(ClosureMetaClass.java:263) at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1041) at groovy.lang.Closure.call(Closure.java:405) at groovy.lang.Closure.call(Closure.java:421) at org.codehaus.groovy.runtime.DefaultGroovyMethods.each(DefaultGroovyMethods.java:2330) at org.codehaus.groovy.runtime.DefaultGroovyMethods.each(DefaultGroovyMethods.java:2315) at org.codehaus.groovy.runtime.DefaultGroovyMethods.each(DefaultGroovyMethods.java:2356) at org.codehaus.groovy.runtime.dgm$186.invoke(Unknown Source) at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite$PojoMetaMethodSiteNoUnwrapNoCoerce.invoke(PojoMetaMethodSite.java:244) at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite.call(PojoMetaMethodSite.java:53) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:47) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:115) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:127) at org.apache.tinkerpop.gremlin.console.Console.<init>(Console.groovy:147) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.codehaus.groovy.reflection.CachedConstructor.invoke(CachedConstructor.java:80) at org.codehaus.groovy.runtime.callsite.ConstructorSite$ConstructorSiteNoUnwrapNoCoerce.callConstructor(ConstructorSite.java:105) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallConstructor(CallSiteArray.java:59) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callConstructor(AbstractCallSite.java:237) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callConstructor(AbstractCallSite.java:265) at org.apache.tinkerpop.gremlin.console.Console.main(Console.groovy:524) Caused by: java.lang.ClassNotFoundException: org.apache.log4j.Level at java.net.URLClassLoader.findClass(URLClassLoader.java:382) at java.lang.ClassLoader.loadClass(ClassLoader.java:418) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:355) at java.lang.ClassLoader.loadClass(ClassLoader.java:351) ... 80 more On Fri, Sep 9, 2022 at 4:08 PM <hadoopmarc@...> wrote: Hi Yingjie, My suggestion was incomplete. In addition to removing the log4j-1.2.17.jar file from the lib folder, you have to remove the slf4j-log4j12-1.7.30.jar file as well. Otherwise, JanusGraph server starts looking for the log4j jar and crashes, as you found out. Best wishes, Marc
More All Messages By This Member
Boxuan Li #6638 Hi Yingjie, You might need to backport https://github.com/JanusGraph/janusgraph/pull/2890 to 0.6 branch and build your own JanusGraph. You are also welcome to use the master branch to build JanusGraph. Best, Boxuan toggle quoted message Show quoted text On Sep 15, 2022, at 11:38 AM, Yingjie Li via lists.lfaidata.foundation <yingjie.li=gmail.com@...> wrote: Just wondering if anybody has a fix for this? The security issue is a roadblock for us to continue using Janusgraph in our project. Thanks On Mon, Sep 12, 2022 at 9:01 AM Yingjie Li via lists.lfaidata.foundation <yingjie.li=gmail.com@...> wrote: Hello Marc, Actually my previous testing was incomplete. After removing those two log4j related jar files from the lib directory, I can start elasticsearch, cassandra and Janusgraph server successfully. But I got exception when running ./bin/gremlin.sh as below. What other changes do I need to make? Thanks, Yingjie ./bin/gremlin.sh \,,,/ (o o) -----oOOo-(3)-oOOo----- plugin activated: tinkerpop.server plugin activated: tinkerpop.tinkergraph 08:55:29 WARN org.apache.hadoop.util.NativeCodeLoader - Unable to load native-hadoop library for your platform... using builtin-java classes where applicable Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/log4j/Level at org.apache.hadoop.mapred.JobConf.<clinit>(JobConf.java:357) at java.lang.Class.forName0(Native Method) at java.lang.Class.forName(Class.java:348) at org.apache.hadoop.conf.Configuration.getClassByNameOrNull(Configuration.java:2306) at org.apache.hadoop.util.ReflectionUtils.setJobConf(ReflectionUtils.java:94) at org.apache.hadoop.util.ReflectionUtils.setConf(ReflectionUtils.java:78) at org.apache.hadoop.util.ReflectionUtils.newInstance(ReflectionUtils.java:136) at org.apache.hadoop.security.Groups.<init>(Groups.java:106) at org.apache.hadoop.security.Groups.<init>(Groups.java:102) at org.apache.hadoop.security.Groups.getUserToGroupsMappingService(Groups.java:450) at org.apache.hadoop.security.UserGroupInformation.initialize(UserGroupInformation.java:314) at org.apache.hadoop.security.UserGroupInformation.ensureInitialized(UserGroupInformation.java:281) at org.apache.hadoop.security.UserGroupInformation.loginUserFromSubject(UserGroupInformation.java:837) at org.apache.hadoop.security.UserGroupInformation.getLoginUser(UserGroupInformation.java:807) at org.apache.hadoop.security.UserGroupInformation.getCurrentUser(UserGroupInformation.java:680) at org.apache.hadoop.fs.FileSystem$Cache$Key.<init>(FileSystem.java:2978) at org.apache.hadoop.fs.FileSystem$Cache$Key.<init>(FileSystem.java:2968) at org.apache.hadoop.fs.FileSystem$Cache.get(FileSystem.java:2830) at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:389) at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:181) at org.apache.tinkerpop.gremlin.hadoop.jsr223.HadoopGremlinPlugin.lambda$static$0(HadoopGremlinPlugin.java:121) at org.apache.tinkerpop.gremlin.jsr223.LazyBindingsCustomizer.getBindings(LazyBindingsCustomizer.java:56) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:101) at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:323) at org.codehaus.groovy.runtime.metaclass.MethodMetaProperty$GetBeanMethodMetaProperty.getProperty(MethodMetaProperty.java:76) at org.codehaus.groovy.runtime.callsite.GetEffectivePojoPropertySite.getProperty(GetEffectivePojoPropertySite.java:63) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callGetProperty(AbstractCallSite.java:298) at org.apache.tinkerpop.gremlin.console.PluggedIn$_activate_closure1.doCall(PluggedIn.groovy:67) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:101) at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:323) at org.codehaus.groovy.runtime.metaclass.ClosureMetaClass.invokeMethod(ClosureMetaClass.java:263) at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1041) at groovy.lang.Closure.call(Closure.java:405) at groovy.lang.Closure.call(Closure.java:421) at org.codehaus.groovy.runtime.DefaultGroovyMethods.each(DefaultGroovyMethods.java:2136) at org.codehaus.groovy.runtime.dgm$181.invoke(Unknown Source) at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite$PojoMetaMethodSiteNoUnwrapNoCoerce.invoke(PojoMetaMethodSite.java:244) at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite.call(PojoMetaMethodSite.java:53) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:127) at org.apache.tinkerpop.gremlin.console.PluggedIn.activate(PluggedIn.groovy:59) at org.apache.tinkerpop.gremlin.console.PluggedIn$activate.call(Unknown Source) at org.apache.tinkerpop.gremlin.console.Console$_closure18.doCall(Console.groovy:149) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:101) at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:323) at org.codehaus.groovy.runtime.metaclass.ClosureMetaClass.invokeMethod(ClosureMetaClass.java:263) at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1041) at groovy.lang.Closure.call(Closure.java:405) at groovy.lang.Closure.call(Closure.java:421) at org.codehaus.groovy.runtime.DefaultGroovyMethods.each(DefaultGroovyMethods.java:2330) at org.codehaus.groovy.runtime.DefaultGroovyMethods.each(DefaultGroovyMethods.java:2315) at org.codehaus.groovy.runtime.DefaultGroovyMethods.each(DefaultGroovyMethods.java:2356) at org.codehaus.groovy.runtime.dgm$186.invoke(Unknown Source) at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite$PojoMetaMethodSiteNoUnwrapNoCoerce.invoke(PojoMetaMethodSite.java:244) at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite.call(PojoMetaMethodSite.java:53) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:47) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:115) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:127) at org.apache.tinkerpop.gremlin.console.Console.<init>(Console.groovy:147) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.codehaus.groovy.reflection.CachedConstructor.invoke(CachedConstructor.java:80) at org.codehaus.groovy.runtime.callsite.ConstructorSite$ConstructorSiteNoUnwrapNoCoerce.callConstructor(ConstructorSite.java:105) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallConstructor(CallSiteArray.java:59) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callConstructor(AbstractCallSite.java:237) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callConstructor(AbstractCallSite.java:265) at org.apache.tinkerpop.gremlin.console.Console.main(Console.groovy:524) Caused by: java.lang.ClassNotFoundException: org.apache.log4j.Level at java.net.URLClassLoader.findClass(URLClassLoader.java:382) at java.lang.ClassLoader.loadClass(ClassLoader.java:418) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:355) at java.lang.ClassLoader.loadClass(ClassLoader.java:351) ... 80 more On Fri, Sep 9, 2022 at 4:08 PM <hadoopmarc@...> wrote: Hi Yingjie, My suggestion was incomplete. In addition to removing the log4j-1.2.17.jar file from the lib folder, you have to remove the slf4j-log4j12-1.7.30.jar file as well. Otherwise, JanusGraph server starts looking for the log4j jar and crashes, as you found out. Best wishes, Marc
More All Messages By This Member
Yingjie Li #6639 Hello Boxuan, Does it mean there is no existing release version for full install with this issue being fixed? Would it be possible to have a release with the fix as the code seems available? The way we've been using janusgraph is to install the latest release version in our docker, after customizing/initializing it with our own schema, together with our models of data fusion and query. It worked very well till we hit this security issue. Thanks, Yingjie toggle quoted message Show quoted text On Thu, Sep 15, 2022 at 11:40 AM Boxuan Li <liboxuan@...> wrote: Hi Yingjie, You might need to backport https://github.com/JanusGraph/janusgraph/pull/2890 to 0.6 branch and build your own JanusGraph. You are also welcome to use the master branch to build JanusGraph. Best, Boxuan On Sep 15, 2022, at 11:38 AM, Yingjie Li via lists.lfaidata.foundation <yingjie.li=gmail.com@...> wrote: Just wondering if anybody has a fix for this? The security issue is a roadblock for us to continue using Janusgraph in our project. Thanks On Mon, Sep 12, 2022 at 9:01 AM Yingjie Li via lists.lfaidata.foundation <yingjie.li=gmail.com@...> wrote: Hello Marc, Actually my previous testing was incomplete. After removing those two log4j related jar files from the lib directory, I can start elasticsearch, cassandra and Janusgraph server successfully. But I got exception when running ./bin/gremlin.sh as below. What other changes do I need to make? Thanks, Yingjie ./bin/gremlin.sh \,,,/ (o o) -----oOOo-(3)-oOOo----- plugin activated: tinkerpop.server plugin activated: tinkerpop.tinkergraph 08:55:29 WARN org.apache.hadoop.util.NativeCodeLoader - Unable to load native-hadoop library for your platform... using builtin-java classes where applicable Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/log4j/Level at org.apache.hadoop.mapred.JobConf.<clinit>(JobConf.java:357) at java.lang.Class.forName0(Native Method) at java.lang.Class.forName(Class.java:348) at org.apache.hadoop.conf.Configuration.getClassByNameOrNull(Configuration.java:2306) at org.apache.hadoop.util.ReflectionUtils.setJobConf(ReflectionUtils.java:94) at org.apache.hadoop.util.ReflectionUtils.setConf(ReflectionUtils.java:78) at org.apache.hadoop.util.ReflectionUtils.newInstance(ReflectionUtils.java:136) at org.apache.hadoop.security.Groups.<init>(Groups.java:106) at org.apache.hadoop.security.Groups.<init>(Groups.java:102) at org.apache.hadoop.security.Groups.getUserToGroupsMappingService(Groups.java:450) at org.apache.hadoop.security.UserGroupInformation.initialize(UserGroupInformation.java:314) at org.apache.hadoop.security.UserGroupInformation.ensureInitialized(UserGroupInformation.java:281) at org.apache.hadoop.security.UserGroupInformation.loginUserFromSubject(UserGroupInformation.java:837) at org.apache.hadoop.security.UserGroupInformation.getLoginUser(UserGroupInformation.java:807) at org.apache.hadoop.security.UserGroupInformation.getCurrentUser(UserGroupInformation.java:680) at org.apache.hadoop.fs.FileSystem$Cache$Key.<init>(FileSystem.java:2978) at org.apache.hadoop.fs.FileSystem$Cache$Key.<init>(FileSystem.java:2968) at org.apache.hadoop.fs.FileSystem$Cache.get(FileSystem.java:2830) at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:389) at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:181) at org.apache.tinkerpop.gremlin.hadoop.jsr223.HadoopGremlinPlugin.lambda$static$0(HadoopGremlinPlugin.java:121) at org.apache.tinkerpop.gremlin.jsr223.LazyBindingsCustomizer.getBindings(LazyBindingsCustomizer.java:56) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:101) at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:323) at org.codehaus.groovy.runtime.metaclass.MethodMetaProperty$GetBeanMethodMetaProperty.getProperty(MethodMetaProperty.java:76) at org.codehaus.groovy.runtime.callsite.GetEffectivePojoPropertySite.getProperty(GetEffectivePojoPropertySite.java:63) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callGetProperty(AbstractCallSite.java:298) at org.apache.tinkerpop.gremlin.console.PluggedIn$_activate_closure1.doCall(PluggedIn.groovy:67) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:101) at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:323) at org.codehaus.groovy.runtime.metaclass.ClosureMetaClass.invokeMethod(ClosureMetaClass.java:263) at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1041) at groovy.lang.Closure.call(Closure.java:405) at groovy.lang.Closure.call(Closure.java:421) at org.codehaus.groovy.runtime.DefaultGroovyMethods.each(DefaultGroovyMethods.java:2136) at org.codehaus.groovy.runtime.dgm$181.invoke(Unknown Source) at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite$PojoMetaMethodSiteNoUnwrapNoCoerce.invoke(PojoMetaMethodSite.java:244) at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite.call(PojoMetaMethodSite.java:53) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:127) at org.apache.tinkerpop.gremlin.console.PluggedIn.activate(PluggedIn.groovy:59) at org.apache.tinkerpop.gremlin.console.PluggedIn$activate.call(Unknown Source) at org.apache.tinkerpop.gremlin.console.Console$_closure18.doCall(Console.groovy:149) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:101) at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:323) at org.codehaus.groovy.runtime.metaclass.ClosureMetaClass.invokeMethod(ClosureMetaClass.java:263) at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1041) at groovy.lang.Closure.call(Closure.java:405) at groovy.lang.Closure.call(Closure.java:421) at org.codehaus.groovy.runtime.DefaultGroovyMethods.each(DefaultGroovyMethods.java:2330) at org.codehaus.groovy.runtime.DefaultGroovyMethods.each(DefaultGroovyMethods.java:2315) at org.codehaus.groovy.runtime.DefaultGroovyMethods.each(DefaultGroovyMethods.java:2356) at org.codehaus.groovy.runtime.dgm$186.invoke(Unknown Source) at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite$PojoMetaMethodSiteNoUnwrapNoCoerce.invoke(PojoMetaMethodSite.java:244) at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite.call(PojoMetaMethodSite.java:53) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:47) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:115) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:127) at org.apache.tinkerpop.gremlin.console.Console.<init>(Console.groovy:147) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.codehaus.groovy.reflection.CachedConstructor.invoke(CachedConstructor.java:80) at org.codehaus.groovy.runtime.callsite.ConstructorSite$ConstructorSiteNoUnwrapNoCoerce.callConstructor(ConstructorSite.java:105) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallConstructor(CallSiteArray.java:59) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callConstructor(AbstractCallSite.java:237) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callConstructor(AbstractCallSite.java:265) at org.apache.tinkerpop.gremlin.console.Console.main(Console.groovy:524) Caused by: java.lang.ClassNotFoundException: org.apache.log4j.Level at java.net.URLClassLoader.findClass(URLClassLoader.java:382) at java.lang.ClassLoader.loadClass(ClassLoader.java:418) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:355) at java.lang.ClassLoader.loadClass(ClassLoader.java:351) ... 80 more On Fri, Sep 9, 2022 at 4:08 PM <hadoopmarc@...> wrote: Hi Yingjie, My suggestion was incomplete. In addition to removing the log4j-1.2.17.jar file from the lib folder, you have to remove the slf4j-log4j12-1.7.30.jar file as well. Otherwise, JanusGraph server starts looking for the log4j jar and crashes, as you found out. Best wishes, Marc
More All Messages By This Member
Boxuan Li #6640 Sorry I am not sure about that… Maybe Jan (CCed) could answer that? toggle quoted message Show quoted text On Sep 15, 2022, at 2:03 PM, Yingjie Li via lists.lfaidata.foundation <yingjie.li=gmail.com@...> wrote: Hello Boxuan, Does it mean there is no existing release version for full install with this issue being fixed? Would it be possible to have a release with the fix as the code seems available? The way we've been using janusgraph is to install the latest release version in our docker, after customizing/initializing it with our own schema, together with our models of data fusion and query. It worked very well till we hit this security issue. Thanks, Yingjie On Thu, Sep 15, 2022 at 11:40 AM Boxuan Li <liboxuan@...> wrote: Hi Yingjie, You might need to backport https://github.com/JanusGraph/janusgraph/pull/2890 to 0.6 branch and build your own JanusGraph. You are also welcome to use the master branch to build JanusGraph. Best, Boxuan On Sep 15, 2022, at 11:38 AM, Yingjie Li via lists.lfaidata.foundation <yingjie.li=gmail.com@...> wrote: Just wondering if anybody has a fix for this? The security issue is a roadblock for us to continue using Janusgraph in our project. Thanks On Mon, Sep 12, 2022 at 9:01 AM Yingjie Li via lists.lfaidata.foundation <yingjie.li=gmail.com@...> wrote: Hello Marc, Actually my previous testing was incomplete. After removing those two log4j related jar files from the lib directory, I can start elasticsearch, cassandra and Janusgraph server successfully. But I got exception when running ./bin/gremlin.sh as below. What other changes do I need to make? Thanks, Yingjie ./bin/gremlin.sh \,,,/ (o o) -----oOOo-(3)-oOOo----- plugin activated: tinkerpop.server plugin activated: tinkerpop.tinkergraph 08:55:29 WARN org.apache.hadoop.util.NativeCodeLoader - Unable to load native-hadoop library for your platform... using builtin-java classes where applicable Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/log4j/Level at org.apache.hadoop.mapred.JobConf.<clinit>(JobConf.java:357) at java.lang.Class.forName0(Native Method) at java.lang.Class.forName(Class.java:348) at org.apache.hadoop.conf.Configuration.getClassByNameOrNull(Configuration.java:2306) at org.apache.hadoop.util.ReflectionUtils.setJobConf(ReflectionUtils.java:94) at org.apache.hadoop.util.ReflectionUtils.setConf(ReflectionUtils.java:78) at org.apache.hadoop.util.ReflectionUtils.newInstance(ReflectionUtils.java:136) at org.apache.hadoop.security.Groups.<init>(Groups.java:106) at org.apache.hadoop.security.Groups.<init>(Groups.java:102) at org.apache.hadoop.security.Groups.getUserToGroupsMappingService(Groups.java:450) at org.apache.hadoop.security.UserGroupInformation.initialize(UserGroupInformation.java:314) at org.apache.hadoop.security.UserGroupInformation.ensureInitialized(UserGroupInformation.java:281) at org.apache.hadoop.security.UserGroupInformation.loginUserFromSubject(UserGroupInformation.java:837) at org.apache.hadoop.security.UserGroupInformation.getLoginUser(UserGroupInformation.java:807) at org.apache.hadoop.security.UserGroupInformation.getCurrentUser(UserGroupInformation.java:680) at org.apache.hadoop.fs.FileSystem$Cache$Key.<init>(FileSystem.java:2978) at org.apache.hadoop.fs.FileSystem$Cache$Key.<init>(FileSystem.java:2968) at org.apache.hadoop.fs.FileSystem$Cache.get(FileSystem.java:2830) at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:389) at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:181) at org.apache.tinkerpop.gremlin.hadoop.jsr223.HadoopGremlinPlugin.lambda$static$0(HadoopGremlinPlugin.java:121) at org.apache.tinkerpop.gremlin.jsr223.LazyBindingsCustomizer.getBindings(LazyBindingsCustomizer.java:56) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:101) at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:323) at org.codehaus.groovy.runtime.metaclass.MethodMetaProperty$GetBeanMethodMetaProperty.getProperty(MethodMetaProperty.java:76) at org.codehaus.groovy.runtime.callsite.GetEffectivePojoPropertySite.getProperty(GetEffectivePojoPropertySite.java:63) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callGetProperty(AbstractCallSite.java:298) at org.apache.tinkerpop.gremlin.console.PluggedIn$_activate_closure1.doCall(PluggedIn.groovy:67) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:101) at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:323) at org.codehaus.groovy.runtime.metaclass.ClosureMetaClass.invokeMethod(ClosureMetaClass.java:263) at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1041) at groovy.lang.Closure.call(Closure.java:405) at groovy.lang.Closure.call(Closure.java:421) at org.codehaus.groovy.runtime.DefaultGroovyMethods.each(DefaultGroovyMethods.java:2136) at org.codehaus.groovy.runtime.dgm$181.invoke(Unknown Source) at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite$PojoMetaMethodSiteNoUnwrapNoCoerce.invoke(PojoMetaMethodSite.java:244) at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite.call(PojoMetaMethodSite.java:53) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:127) at org.apache.tinkerpop.gremlin.console.PluggedIn.activate(PluggedIn.groovy:59) at org.apache.tinkerpop.gremlin.console.PluggedIn$activate.call(Unknown Source) at org.apache.tinkerpop.gremlin.console.Console$_closure18.doCall(Console.groovy:149) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:101) at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:323) at org.codehaus.groovy.runtime.metaclass.ClosureMetaClass.invokeMethod(ClosureMetaClass.java:263) at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1041) at groovy.lang.Closure.call(Closure.java:405) at groovy.lang.Closure.call(Closure.java:421) at org.codehaus.groovy.runtime.DefaultGroovyMethods.each(DefaultGroovyMethods.java:2330) at org.codehaus.groovy.runtime.DefaultGroovyMethods.each(DefaultGroovyMethods.java:2315) at org.codehaus.groovy.runtime.DefaultGroovyMethods.each(DefaultGroovyMethods.java:2356) at org.codehaus.groovy.runtime.dgm$186.invoke(Unknown Source) at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite$PojoMetaMethodSiteNoUnwrapNoCoerce.invoke(PojoMetaMethodSite.java:244) at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite.call(PojoMetaMethodSite.java:53) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:47) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:115) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:127) at org.apache.tinkerpop.gremlin.console.Console.<init>(Console.groovy:147) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.codehaus.groovy.reflection.CachedConstructor.invoke(CachedConstructor.java:80) at org.codehaus.groovy.runtime.callsite.ConstructorSite$ConstructorSiteNoUnwrapNoCoerce.callConstructor(ConstructorSite.java:105) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallConstructor(CallSiteArray.java:59) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callConstructor(AbstractCallSite.java:237) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callConstructor(AbstractCallSite.java:265) at org.apache.tinkerpop.gremlin.console.Console.main(Console.groovy:524) Caused by: java.lang.ClassNotFoundException: org.apache.log4j.Level at java.net.URLClassLoader.findClass(URLClassLoader.java:382) at java.lang.ClassLoader.loadClass(ClassLoader.java:418) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:355) at java.lang.ClassLoader.loadClass(ClassLoader.java:351) ... 80 more On Fri, Sep 9, 2022 at 4:08 PM <hadoopmarc@...> wrote: Hi Yingjie, My suggestion was incomplete. In addition to removing the log4j-1.2.17.jar file from the lib folder, you have to remove the slf4j-log4j12-1.7.30.jar file as well. Otherwise, JanusGraph server starts looking for the log4j jar and crashes, as you found out. Best wishes, Marc
More All Messages By This Member
Yingjie Li #6641 I see. Basically we got a violation notification from the IT dept of our company when running the Janusgraph and were asked to either fix or remove the application. As this is a relatively severe security issue, it would be great if we can have a release with the fix so that we can continue using Janusgraph. Thanks, Yingjie toggle quoted message Show quoted text On Thu, Sep 15, 2022 at 2:38 PM Boxuan Li <liboxuan@...> wrote: Sorry I am not sure about that… Maybe Jan (CCed) could answer that? On Sep 15, 2022, at 2:03 PM, Yingjie Li via lists.lfaidata.foundation <yingjie.li=gmail.com@...> wrote: Hello Boxuan, Does it mean there is no existing release version for full install with this issue being fixed? Would it be possible to have a release with the fix as the code seems available? The way we've been using janusgraph is to install the latest release version in our docker, after customizing/initializing it with our own schema, together with our models of data fusion and query. It worked very well till we hit this security issue. Thanks, Yingjie On Thu, Sep 15, 2022 at 11:40 AM Boxuan Li <liboxuan@...> wrote: Hi Yingjie, You might need to backport https://github.com/JanusGraph/janusgraph/pull/2890 to 0.6 branch and build your own JanusGraph. You are also welcome to use the master branch to build JanusGraph. Best, Boxuan On Sep 15, 2022, at 11:38 AM, Yingjie Li via lists.lfaidata.foundation <yingjie.li=gmail.com@...> wrote: Just wondering if anybody has a fix for this? The security issue is a roadblock for us to continue using Janusgraph in our project. Thanks On Mon, Sep 12, 2022 at 9:01 AM Yingjie Li via lists.lfaidata.foundation <yingjie.li=gmail.com@...> wrote: Hello Marc, Actually my previous testing was incomplete. After removing those two log4j related jar files from the lib directory, I can start elasticsearch, cassandra and Janusgraph server successfully. But I got exception when running ./bin/gremlin.sh as below. What other changes do I need to make? Thanks, Yingjie ./bin/gremlin.sh \,,,/ (o o) -----oOOo-(3)-oOOo----- plugin activated: tinkerpop.server plugin activated: tinkerpop.tinkergraph 08:55:29 WARN org.apache.hadoop.util.NativeCodeLoader - Unable to load native-hadoop library for your platform... using builtin-java classes where applicable Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/log4j/Level at org.apache.hadoop.mapred.JobConf.<clinit>(JobConf.java:357) at java.lang.Class.forName0(Native Method) at java.lang.Class.forName(Class.java:348) at org.apache.hadoop.conf.Configuration.getClassByNameOrNull(Configuration.java:2306) at org.apache.hadoop.util.ReflectionUtils.setJobConf(ReflectionUtils.java:94) at org.apache.hadoop.util.ReflectionUtils.setConf(ReflectionUtils.java:78) at org.apache.hadoop.util.ReflectionUtils.newInstance(ReflectionUtils.java:136) at org.apache.hadoop.security.Groups.<init>(Groups.java:106) at org.apache.hadoop.security.Groups.<init>(Groups.java:102) at org.apache.hadoop.security.Groups.getUserToGroupsMappingService(Groups.java:450) at org.apache.hadoop.security.UserGroupInformation.initialize(UserGroupInformation.java:314) at org.apache.hadoop.security.UserGroupInformation.ensureInitialized(UserGroupInformation.java:281) at org.apache.hadoop.security.UserGroupInformation.loginUserFromSubject(UserGroupInformation.java:837) at org.apache.hadoop.security.UserGroupInformation.getLoginUser(UserGroupInformation.java:807) at org.apache.hadoop.security.UserGroupInformation.getCurrentUser(UserGroupInformation.java:680) at org.apache.hadoop.fs.FileSystem$Cache$Key.<init>(FileSystem.java:2978) at org.apache.hadoop.fs.FileSystem$Cache$Key.<init>(FileSystem.java:2968) at org.apache.hadoop.fs.FileSystem$Cache.get(FileSystem.java:2830) at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:389) at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:181) at org.apache.tinkerpop.gremlin.hadoop.jsr223.HadoopGremlinPlugin.lambda$static$0(HadoopGremlinPlugin.java:121) at org.apache.tinkerpop.gremlin.jsr223.LazyBindingsCustomizer.getBindings(LazyBindingsCustomizer.java:56) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:101) at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:323) at org.codehaus.groovy.runtime.metaclass.MethodMetaProperty$GetBeanMethodMetaProperty.getProperty(MethodMetaProperty.java:76) at org.codehaus.groovy.runtime.callsite.GetEffectivePojoPropertySite.getProperty(GetEffectivePojoPropertySite.java:63) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callGetProperty(AbstractCallSite.java:298) at org.apache.tinkerpop.gremlin.console.PluggedIn$_activate_closure1.doCall(PluggedIn.groovy:67) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:101) at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:323) at org.codehaus.groovy.runtime.metaclass.ClosureMetaClass.invokeMethod(ClosureMetaClass.java:263) at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1041) at groovy.lang.Closure.call(Closure.java:405) at groovy.lang.Closure.call(Closure.java:421) at org.codehaus.groovy.runtime.DefaultGroovyMethods.each(DefaultGroovyMethods.java:2136) at org.codehaus.groovy.runtime.dgm$181.invoke(Unknown Source) at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite$PojoMetaMethodSiteNoUnwrapNoCoerce.invoke(PojoMetaMethodSite.java:244) at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite.call(PojoMetaMethodSite.java:53) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:127) at org.apache.tinkerpop.gremlin.console.PluggedIn.activate(PluggedIn.groovy:59) at org.apache.tinkerpop.gremlin.console.PluggedIn$activate.call(Unknown Source) at org.apache.tinkerpop.gremlin.console.Console$_closure18.doCall(Console.groovy:149) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:101) at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:323) at org.codehaus.groovy.runtime.metaclass.ClosureMetaClass.invokeMethod(ClosureMetaClass.java:263) at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1041) at groovy.lang.Closure.call(Closure.java:405) at groovy.lang.Closure.call(Closure.java:421) at org.codehaus.groovy.runtime.DefaultGroovyMethods.each(DefaultGroovyMethods.java:2330) at org.codehaus.groovy.runtime.DefaultGroovyMethods.each(DefaultGroovyMethods.java:2315) at org.codehaus.groovy.runtime.DefaultGroovyMethods.each(DefaultGroovyMethods.java:2356) at org.codehaus.groovy.runtime.dgm$186.invoke(Unknown Source) at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite$PojoMetaMethodSiteNoUnwrapNoCoerce.invoke(PojoMetaMethodSite.java:244) at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite.call(PojoMetaMethodSite.java:53) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:47) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:115) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:127) at org.apache.tinkerpop.gremlin.console.Console.<init>(Console.groovy:147) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.codehaus.groovy.reflection.CachedConstructor.invoke(CachedConstructor.java:80) at org.codehaus.groovy.runtime.callsite.ConstructorSite$ConstructorSiteNoUnwrapNoCoerce.callConstructor(ConstructorSite.java:105) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallConstructor(CallSiteArray.java:59) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callConstructor(AbstractCallSite.java:237) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callConstructor(AbstractCallSite.java:265) at org.apache.tinkerpop.gremlin.console.Console.main(Console.groovy:524) Caused by: java.lang.ClassNotFoundException: org.apache.log4j.Level at java.net.URLClassLoader.findClass(URLClassLoader.java:382) at java.lang.ClassLoader.loadClass(ClassLoader.java:418) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:355) at java.lang.ClassLoader.loadClass(ClassLoader.java:351) ... 80 more On Fri, Sep 9, 2022 at 4:08 PM <hadoopmarc@...> wrote: Hi Yingjie, My suggestion was incomplete. In addition to removing the log4j-1.2.17.jar file from the lib folder, you have to remove the slf4j-log4j12-1.7.30.jar file as well. Otherwise, JanusGraph server starts looking for the log4j jar and crashes, as you found out. Best wishes, Marc
More All Messages By This Member
Jansen, Jan #6642 Hi It won't be possible to backport without breaking change. We could work on release of janusgraph 1, after we finished upgrading to Tinkerpop 3.6. We have multiple libs with CVEs in 0.6. If your main issues is log4j2, janusgraph 0.6 should work without log4j2. Greetings, Jan toggle quoted message Show quoted text From: Li Boxuan <liboxuan@...> Sent: Thursday, September 15, 2022 8:38 PM To: janusgraph-users@... <janusgraph-users@...> Cc: Jansen, Jan <Jan.Jansen@...> Subject: Re: [janusgraph-users] Janusgraph-full-0.6.1: how to fix "WARNING: Critical severity vulnerabilities were found with Log4j!" Sorry I am not sure about that… Maybe Jan (CCed) could answer that? On Sep 15, 2022, at 2:03 PM, Yingjie Li via lists.lfaidata.foundation <yingjie.li=gmail.com@...> wrote: Hello Boxuan, Does it mean there is no existing release version for full install with this issue being fixed? Would it be possible to have a release with the fix as the code seems available? The way we've been using janusgraph is to install the latest release version in our docker, after customizing/initializing it with our own schema, together with our models of data fusion and query. It worked very well till we hit this security issue. Thanks, Yingjie On Thu, Sep 15, 2022 at 11:40 AM Boxuan Li <liboxuan@...> wrote: Hi Yingjie, You might need to backport https://github.com/JanusGraph/janusgraph/pull/2890 to 0.6 branch and build your own JanusGraph. You are also welcome to use the master branch to build JanusGraph. Best, Boxuan On Sep 15, 2022, at 11:38 AM, Yingjie Li via lists.lfaidata.foundation <yingjie.li=gmail.com@...> wrote: Just wondering if anybody has a fix for this? The security issue is a roadblock for us to continue using Janusgraph in our project. Thanks On Mon, Sep 12, 2022 at 9:01 AM Yingjie Li via lists.lfaidata.foundation <yingjie.li=gmail.com@...> wrote: Hello Marc, Actually my previous testing was incomplete. After removing those two log4j related jar files from the lib directory, I can start elasticsearch, cassandra and Janusgraph server successfully. But I got exception when running ./bin/gremlin.sh as below. What other changes do I need to make? Thanks, Yingjie ./bin/gremlin.sh \,,,/ (o o) -----oOOo-(3)-oOOo----- plugin activated: tinkerpop.server plugin activated: tinkerpop.tinkergraph 08:55:29 WARN org.apache.hadoop.util.NativeCodeLoader - Unable to load native-hadoop library for your platform... using builtin-java classes where applicable Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/log4j/Level at org.apache.hadoop.mapred.JobConf.<clinit>(JobConf.java:357) at java.lang.Class.forName0(Native Method) at java.lang.Class.forName(Class.java:348) at org.apache.hadoop.conf.Configuration.getClassByNameOrNull(Configuration.java:2306) at org.apache.hadoop.util.ReflectionUtils.setJobConf(ReflectionUtils.java:94) at org.apache.hadoop.util.ReflectionUtils.setConf(ReflectionUtils.java:78) at org.apache.hadoop.util.ReflectionUtils.newInstance(ReflectionUtils.java:136) at org.apache.hadoop.security.Groups.<init>(Groups.java:106) at org.apache.hadoop.security.Groups.<init>(Groups.java:102) at org.apache.hadoop.security.Groups.getUserToGroupsMappingService(Groups.java:450) at org.apache.hadoop.security.UserGroupInformation.initialize(UserGroupInformation.java:314) at org.apache.hadoop.security.UserGroupInformation.ensureInitialized(UserGroupInformation.java:281) at org.apache.hadoop.security.UserGroupInformation.loginUserFromSubject(UserGroupInformation.java:837) at org.apache.hadoop.security.UserGroupInformation.getLoginUser(UserGroupInformation.java:807) at org.apache.hadoop.security.UserGroupInformation.getCurrentUser(UserGroupInformation.java:680) at org.apache.hadoop.fs.FileSystem$Cache$Key.<init>(FileSystem.java:2978) at org.apache.hadoop.fs.FileSystem$Cache$Key.<init>(FileSystem.java:2968) at org.apache.hadoop.fs.FileSystem$Cache.get(FileSystem.java:2830) at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:389) at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:181) at org.apache.tinkerpop.gremlin.hadoop.jsr223.HadoopGremlinPlugin.lambda$static$0(HadoopGremlinPlugin.java:121) at org.apache.tinkerpop.gremlin.jsr223.LazyBindingsCustomizer.getBindings(LazyBindingsCustomizer.java:56) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:101) at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:323) at org.codehaus.groovy.runtime.metaclass.MethodMetaProperty$GetBeanMethodMetaProperty.getProperty(MethodMetaProperty.java:76) at org.codehaus.groovy.runtime.callsite.GetEffectivePojoPropertySite.getProperty(GetEffectivePojoPropertySite.java:63) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callGetProperty(AbstractCallSite.java:298) at org.apache.tinkerpop.gremlin.console.PluggedIn$_activate_closure1.doCall(PluggedIn.groovy:67) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:101) at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:323) at org.codehaus.groovy.runtime.metaclass.ClosureMetaClass.invokeMethod(ClosureMetaClass.java:263) at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1041) at groovy.lang.Closure.call(Closure.java:405) at groovy.lang.Closure.call(Closure.java:421) at org.codehaus.groovy.runtime.DefaultGroovyMethods.each(DefaultGroovyMethods.java:2136) at org.codehaus.groovy.runtime.dgm$181.invoke(Unknown Source) at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite$PojoMetaMethodSiteNoUnwrapNoCoerce.invoke(PojoMetaMethodSite.java:244) at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite.call(PojoMetaMethodSite.java:53) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:127) at org.apache.tinkerpop.gremlin.console.PluggedIn.activate(PluggedIn.groovy:59) at org.apache.tinkerpop.gremlin.console.PluggedIn$activate.call(Unknown Source) at org.apache.tinkerpop.gremlin.console.Console$_closure18.doCall(Console.groovy:149) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:101) at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:323) at org.codehaus.groovy.runtime.metaclass.ClosureMetaClass.invokeMethod(ClosureMetaClass.java:263) at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1041) at groovy.lang.Closure.call(Closure.java:405) at groovy.lang.Closure.call(Closure.java:421) at org.codehaus.groovy.runtime.DefaultGroovyMethods.each(DefaultGroovyMethods.java:2330) at org.codehaus.groovy.runtime.DefaultGroovyMethods.each(DefaultGroovyMethods.java:2315) at org.codehaus.groovy.runtime.DefaultGroovyMethods.each(DefaultGroovyMethods.java:2356) at org.codehaus.groovy.runtime.dgm$186.invoke(Unknown Source) at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite$PojoMetaMethodSiteNoUnwrapNoCoerce.invoke(PojoMetaMethodSite.java:244) at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite.call(PojoMetaMethodSite.java:53) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:47) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:115) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:127) at org.apache.tinkerpop.gremlin.console.Console.<init>(Console.groovy:147) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.codehaus.groovy.reflection.CachedConstructor.invoke(CachedConstructor.java:80) at org.codehaus.groovy.runtime.callsite.ConstructorSite$ConstructorSiteNoUnwrapNoCoerce.callConstructor(ConstructorSite.java:105) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallConstructor(CallSiteArray.java:59) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callConstructor(AbstractCallSite.java:237) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callConstructor(AbstractCallSite.java:265) at org.apache.tinkerpop.gremlin.console.Console.main(Console.groovy:524) Caused by: java.lang.ClassNotFoundException: org.apache.log4j.Level at java.net.URLClassLoader.findClass(URLClassLoader.java:382) at java.lang.ClassLoader.loadClass(ClassLoader.java:418) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:355) at java.lang.ClassLoader.loadClass(ClassLoader.java:351) ... 80 more On Fri, Sep 9, 2022 at 4:08 PM <hadoopmarc@...> wrote: Hi Yingjie, My suggestion was incomplete. In addition to removing the log4j-1.2.17.jar file from the lib folder, you have to remove the slf4j-log4j12-1.7.30.jar file as well. Otherwise, JanusGraph server starts looking for the log4j jar and crashes, as you found out. Best wishes, Marc
More All Messages By This Member
Yingjie Li #6643 Hello Jan, Yes, the only issue is the log4j2 that comes with janusgraph-full-0.6.2.zip installation. If there are some configurations that can be changed to fix this issue, that's all what we need. Please let me know the steps. Thanks, Yingjie toggle quoted message Show quoted text On Thu, Sep 15, 2022 at 2:58 PM Jansen, Jan via lists.lfaidata.foundation <Jan.jansen=gdata.de@...> wrote: Hi It won't be possible to backport without breaking change. We could work on release of janusgraph 1, after we finished upgrading to Tinkerpop 3.6. We have multiple libs with CVEs in 0.6. If your main issues is log4j2, janusgraph 0.6 should work without log4j2. Greetings, Jan From: Li Boxuan <liboxuan@...> Sent: Thursday, September 15, 2022 8:38 PM To: janusgraph-users@... <janusgraph-users@...> Cc: Jansen, Jan <Jan.Jansen@...> Subject: Re: [janusgraph-users] Janusgraph-full-0.6.1: how to fix "WARNING: Critical severity vulnerabilities were found with Log4j!" Sorry I am not sure about that… Maybe Jan (CCed) could answer that? On Sep 15, 2022, at 2:03 PM, Yingjie Li via lists.lfaidata.foundation <yingjie.li=gmail.com@...> wrote: Hello Boxuan, Does it mean there is no existing release version for full install with this issue being fixed? Would it be possible to have a release with the fix as the code seems available? The way we've been using janusgraph is to install the latest release version in our docker, after customizing/initializing it with our own schema, together with our models of data fusion and query. It worked very well till we hit this security issue. Thanks, Yingjie On Thu, Sep 15, 2022 at 11:40 AM Boxuan Li <liboxuan@...> wrote: Hi Yingjie, You might need to backport https://github.com/JanusGraph/janusgraph/pull/2890 to 0.6 branch and build your own JanusGraph. You are also welcome to use the master branch to build JanusGraph. Best, Boxuan On Sep 15, 2022, at 11:38 AM, Yingjie Li via lists.lfaidata.foundation <yingjie.li=gmail.com@...> wrote: Just wondering if anybody has a fix for this? The security issue is a roadblock for us to continue using Janusgraph in our project. Thanks On Mon, Sep 12, 2022 at 9:01 AM Yingjie Li via lists.lfaidata.foundation <yingjie.li=gmail.com@...> wrote: Hello Marc, Actually my previous testing was incomplete. After removing those two log4j related jar files from the lib directory, I can start elasticsearch, cassandra and Janusgraph server successfully. But I got exception when running ./bin/gremlin.sh as below. What other changes do I need to make? Thanks, Yingjie ./bin/gremlin.sh \,,,/ (o o) -----oOOo-(3)-oOOo----- plugin activated: tinkerpop.server plugin activated: tinkerpop.tinkergraph 08:55:29 WARN org.apache.hadoop.util.NativeCodeLoader - Unable to load native-hadoop library for your platform... using builtin-java classes where applicable Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/log4j/Level at org.apache.hadoop.mapred.JobConf.<clinit>(JobConf.java:357) at java.lang.Class.forName0(Native Method) at java.lang.Class.forName(Class.java:348) at org.apache.hadoop.conf.Configuration.getClassByNameOrNull(Configuration.java:2306) at org.apache.hadoop.util.ReflectionUtils.setJobConf(ReflectionUtils.java:94) at org.apache.hadoop.util.ReflectionUtils.setConf(ReflectionUtils.java:78) at org.apache.hadoop.util.ReflectionUtils.newInstance(ReflectionUtils.java:136) at org.apache.hadoop.security.Groups.<init>(Groups.java:106) at org.apache.hadoop.security.Groups.<init>(Groups.java:102) at org.apache.hadoop.security.Groups.getUserToGroupsMappingService(Groups.java:450) at org.apache.hadoop.security.UserGroupInformation.initialize(UserGroupInformation.java:314) at org.apache.hadoop.security.UserGroupInformation.ensureInitialized(UserGroupInformation.java:281) at org.apache.hadoop.security.UserGroupInformation.loginUserFromSubject(UserGroupInformation.java:837) at org.apache.hadoop.security.UserGroupInformation.getLoginUser(UserGroupInformation.java:807) at org.apache.hadoop.security.UserGroupInformation.getCurrentUser(UserGroupInformation.java:680) at org.apache.hadoop.fs.FileSystem$Cache$Key.<init>(FileSystem.java:2978) at org.apache.hadoop.fs.FileSystem$Cache$Key.<init>(FileSystem.java:2968) at org.apache.hadoop.fs.FileSystem$Cache.get(FileSystem.java:2830) at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:389) at org.apache.hadoop.fs.FileSystem.get(FileSystem.java:181) at org.apache.tinkerpop.gremlin.hadoop.jsr223.HadoopGremlinPlugin.lambda$static$0(HadoopGremlinPlugin.java:121) at org.apache.tinkerpop.gremlin.jsr223.LazyBindingsCustomizer.getBindings(LazyBindingsCustomizer.java:56) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:101) at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:323) at org.codehaus.groovy.runtime.metaclass.MethodMetaProperty$GetBeanMethodMetaProperty.getProperty(MethodMetaProperty.java:76) at org.codehaus.groovy.runtime.callsite.GetEffectivePojoPropertySite.getProperty(GetEffectivePojoPropertySite.java:63) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callGetProperty(AbstractCallSite.java:298) at org.apache.tinkerpop.gremlin.console.PluggedIn$_activate_closure1.doCall(PluggedIn.groovy:67) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:101) at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:323) at org.codehaus.groovy.runtime.metaclass.ClosureMetaClass.invokeMethod(ClosureMetaClass.java:263) at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1041) at groovy.lang.Closure.call(Closure.java:405) at groovy.lang.Closure.call(Closure.java:421) at org.codehaus.groovy.runtime.DefaultGroovyMethods.each(DefaultGroovyMethods.java:2136) at org.codehaus.groovy.runtime.dgm$181.invoke(Unknown Source) at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite$PojoMetaMethodSiteNoUnwrapNoCoerce.invoke(PojoMetaMethodSite.java:244) at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite.call(PojoMetaMethodSite.java:53) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:127) at org.apache.tinkerpop.gremlin.console.PluggedIn.activate(PluggedIn.groovy:59) at org.apache.tinkerpop.gremlin.console.PluggedIn$activate.call(Unknown Source) at org.apache.tinkerpop.gremlin.console.Console$_closure18.doCall(Console.groovy:149) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:101) at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:323) at org.codehaus.groovy.runtime.metaclass.ClosureMetaClass.invokeMethod(ClosureMetaClass.java:263) at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1041) at groovy.lang.Closure.call(Closure.java:405) at groovy.lang.Closure.call(Closure.java:421) at org.codehaus.groovy.runtime.DefaultGroovyMethods.each(DefaultGroovyMethods.java:2330) at org.codehaus.groovy.runtime.DefaultGroovyMethods.each(DefaultGroovyMethods.java:2315) at org.codehaus.groovy.runtime.DefaultGroovyMethods.each(DefaultGroovyMethods.java:2356) at org.codehaus.groovy.runtime.dgm$186.invoke(Unknown Source) at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite$PojoMetaMethodSiteNoUnwrapNoCoerce.invoke(PojoMetaMethodSite.java:244) at org.codehaus.groovy.runtime.callsite.PojoMetaMethodSite.call(PojoMetaMethodSite.java:53) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:47) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:115) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:127) at org.apache.tinkerpop.gremlin.console.Console.<init>(Console.groovy:147) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.codehaus.groovy.reflection.CachedConstructor.invoke(CachedConstructor.java:80) at org.codehaus.groovy.runtime.callsite.ConstructorSite$ConstructorSiteNoUnwrapNoCoerce.callConstructor(ConstructorSite.java:105) at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCallConstructor(CallSiteArray.java:59) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callConstructor(AbstractCallSite.java:237) at org.codehaus.groovy.runtime.callsite.AbstractCallSite.callConstructor(AbstractCallSite.java:265) at org.apache.tinkerpop.gremlin.console.Console.main(Console.groovy:524) Caused by: java.lang.ClassNotFoundException: org.apache.log4j.Level at java.net.URLClassLoader.findClass(URLClassLoader.java:382) at java.lang.ClassLoader.loadClass(ClassLoader.java:418) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:355) at java.lang.ClassLoader.loadClass(ClassLoader.java:351) ... 80 more On Fri, Sep 9, 2022 at 4:08 PM <hadoopmarc@...> wrote: Hi Yingjie, My suggestion was incomplete. In addition to removing the log4j-1.2.17.jar file from the lib folder, you have to remove the slf4j-log4j12-1.7.30.jar file as well. Otherwise, JanusGraph server starts looking for the log4j jar and crashes, as you found out. Best wishes, Marc
More All Messages By This Member
hadoopmarc@... #6644 Edited Hi Yingjie, As to the short term workaround with removing the log4j jars, from the lib folder you can still use the gremlin console if you edit the ext/plugins.txt file and remove the lines with the hadoop and spark plugins. However, you state that you use elasticsearch, which also ships with log4j in the janusgraph-full-0.6.2.zip distribution. Best wishes, Marc Edited: cassandra does not ship with log4j
More All Messages By This Member
Yingjie Li #6645 Marc, Yes, we use Cassandra and Elasticsearch at the backend from janusgraph-full-0.6.2 . What are the steps to disable log4j? Thanks Yingjie Th toggle quoted message Show quoted text On Fri, Sep 16, 2022 at 2:30 AM <hadoopmarc@...> wrote: [Edited Message Follows] Hi Yingjie, As to the short term workaround with removing the log4j jars, from the lib folder you can still use the gremlin console if you edit the ext/plugins.txt file and remove the lines with the hadoop and spark plugins. However, you state that you use elasticsearch, which also ships with log4j in the janusgraph-full-0.6.2.zip distribution. Best wishes, Marc Edited: cassandra does not ship with log4j
More All Messages By This Member
hadoopmarc@... #6646 Hi Yingjie, As edited in my previous reaction, the Cassandra jars in the JanusGraph distribution do not include the log4j jar. As to elasticsearch, your best choices are: not use mixed indices (check whether your application needs them) build JanusGraph for the current master branch, as already suggested by Boxuan above. The master branch has a patched Elasticsearch version 7.17 Best wishes, Marc
More All Messages By This Member
Jansen, Jan #6647 Hi Yingjie, You can also download our latest artifacts from github action. https://github.com/JanusGraph/janusgraph/actions/workflows/ci-release.yml?query=branch%3Amaster+is%3Acompleted Just go to the last build and download distribution-builds. Greetings, Jan toggle quoted message Show quoted text From: janusgraph-users@... <janusgraph-users@...> on behalf of hadoopmarc via lists.lfaidata.foundation <hadoopmarc=xs4all.nl@...> Sent: Friday, September 16, 2022 2:30 PM To: janusgraph-users@... <janusgraph-users@...> Subject: Re: [janusgraph-users] Janusgraph-full-0.6.1: how to fix "WARNING: Critical severity vulnerabilities were found with Log4j!" Hi Yingjie, As edited in my previous reaction, the Cassandra jars in the JanusGraph distribution do not include the log4j jar. As to elasticsearch, your best choices are: not use mixed indices (check whether your application needs them) build JanusGraph for the current master branch, as already suggested by Boxuan above. The master branch has a patched Elasticsearch version 7.17 Best wishes, Marc
More All Messages By This Member
Yingjie Li #6655 Hello Jan, Thanks for the pointers. I downloaded the last build based on the link you provided. I unzipped janusgraph-full-1.0.0-SNAPSHOT.zip and tried starting Janusgraph and gremlin.sh, both worked. I removed log4j-1.2.17.jar, restarted janusgraph, and ran gremlin.sh, but failed. Does it mean log4j-1.2.17 is still used somehow and if so, how to disable it? Thanks. Yingjie toggle quoted message Show quoted text On Fri, Sep 16, 2022 at 10:08 AM Jansen, Jan via lists.lfaidata.foundation <Jan.jansen=gdata.de@...> wrote: Hi Yingjie, You can also download our latest artifacts from github action. https://github.com/JanusGraph/janusgraph/actions/workflows/ci-release.yml?query=branch%3Amaster+is%3Acompleted Just go to the last build and download distribution-builds. Greetings, Jan From: janusgraph-users@... <janusgraph-users@...> on behalf of hadoopmarc via lists.lfaidata.foundation <hadoopmarc=xs4all.nl@...> Sent: Friday, September 16, 2022 2:30 PM To: janusgraph-users@... <janusgraph-users@...> Subject: Re: [janusgraph-users] Janusgraph-full-0.6.1: how to fix "WARNING: Critical severity vulnerabilities were found with Log4j!" Hi Yingjie, As edited in my previous reaction, the Cassandra jars in the JanusGraph distribution do not include the log4j jar. As to elasticsearch, your best choices are: not use mixed indices (check whether your application needs them) build JanusGraph for the current master branch, as already suggested by Boxuan above. The master branch has a patched Elasticsearch version 7.17 Best wishes, Marc
More All Messages By This Member
hadoopmarc@... #6656 Hi Yingjie, See my earlier comment, with respect to janusgraph-0.6.2: >>My suggestion was incomplete. In addition to removing the log4j-1.2.17.jar file from the lib folder, you have to remove the slf4j-log4j12-1.7.30.jar file as well. Otherwise, JanusGraph server starts looking for the log4j jar and crashes, as you found out. Can you confirm that log4j-2x in the elasticsearch/lib folder now has the required version? Best wishes, Marc
More All Messages By This Member
Yingjie Li #6657 Hello Marc, For this build, in directory janusgraph-full-1.0.0-SNAPSHOT/lib, there are log4j-1.2.17.jar , log4j-api-2.18.0.jar, log4j-core-2.18.0.jar, log4j-slf4j-impl-2.18.0.jar, but no slf4j-log4j12-1.7.30.jar . In directory janusgraph-full-1.0.0-SNAPSHOT/elasticsearch/lib, there are elasticsearch-log4j-7.17.5.jar, log4j-api-2.17.1.jar Yingjie toggle quoted message Show quoted text On Fri, Sep 30, 2022 at 1:51 AM <hadoopmarc@...> wrote: Hi Yingjie, See my earlier comment, with respect to janusgraph-0.6.2: >>My suggestion was incomplete. In addition to removing the log4j-1.2.17.jar file from the lib folder, you have to remove the slf4j-log4j12-1.7.30.jar file as well. Otherwise, JanusGraph server starts looking for the log4j jar and crashes, as you found out. Can you confirm that log4j-2x in the elasticsearch/lib folder now has the required version? Best wishes, Marc
More All Messages By This Member

1 - 20 of 22

Previous Topic Next Topic

Home Hashtags Subgroups Calendar Terms

Janusgraph-full-0.6.1: how to fix "WARNING: Critical severity vulnerabilities were found with Log4j!"

1. Upgrade the affected product listed below to a version which includes a patched version of log4j – CISO requires all version 1.x and 2.x to be upgraded to version 2.17.1 or later.

2. If upgrade is not possible, the affected component must be uninstalled or deleted.