1. Topics
  2. Janusgraph-full-0.6.1: how to fix "WARNING: Critical severity vulnerabilities were found with Log4j!"

Janusgraph-full-0.6.1: how to fix "WARNING: Critical severity vulnerabilities were found with Log4j!"

hadoopmarc@...
 

Hi Yingjie,

OK, I tried for myself. From the initial log lines in the Gremlin Console:

SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/tera/lib/janusgraph-full-1.0.0-SNAPSHOT/lib/log4j-slf4j-impl-2.18.0.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/tera/lib/janusgraph-full-1.0.0-SNAPSHOT/lib/logback-classic-1.2.11.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.apache.logging.slf4j.Log4jLoggerFactory]

you can see that you alsso have to remove lib/log4j-slf4j-impl-2.18.0.jar

After having done that, you will notice that the hadoop and spark plugins also depend on log4j. You can disable these by
removing the corresponding lines from the ext/plugins.txt file.

It seems the distribution now meets your requirements!

Best wishes,   Marc
Yingjie Li
 

Hello Marc,

Yes, after applying the changes you suggested, it works now. I can load data and use gremlin successfully!

Thanks to all of you, Marc, Jan and Boxuan, for your help in fixing the security issue!

Best,
Yingjie
 


Thanks,
Yingjie


On Fri, Sep 30, 2022 at 3:46 AM <hadoopmarc@...> wrote:
Hi Yingjie,

OK, I tried for myself. From the initial log lines in the Gremlin Console:

SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/tera/lib/janusgraph-full-1.0.0-SNAPSHOT/lib/log4j-slf4j-impl-2.18.0.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/tera/lib/janusgraph-full-1.0.0-SNAPSHOT/lib/logback-classic-1.2.11.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.apache.logging.slf4j.Log4jLoggerFactory]

you can see that you alsso have to remove lib/log4j-slf4j-impl-2.18.0.jar

After having done that, you will notice that the hadoop and spark plugins also depend on log4j. You can disable these by
removing the corresponding lines from the ext/plugins.txt file.

It seems the distribution now meets your requirements!

Best wishes,   Marc

21 - 22 of 22