Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is R-Package h2o affected by log4j-vulnerability? (and how to solve)

Tags:

java

security

r

log4j

h2o

A vulnerability of log4j became public. Amongst other packages, I am using R shiny and h2o packages. I already found out, that shiny is not affected by the vulnerability, since it uses log4js(see https://github.com/log4js-node/log4js-node/issues/1105), which is an implementation in Javascript.

Now we come to h2o. I know that this package provides an API to the h2o-framework in Java. In the documentation of building h2o from source from github (see https://h2o-release.s3.amazonaws.com/h2o/rel-noether/4/docs-website/developuser/quickstart_git.html), i found along the lines

javac -source 1.6 -target 1.6 -sourcepath src/main/java -classpath
"../lib/log4j/log4j-1.2.15.jar:../target/h2o.jar:../lib/hadoop/mapr2.1.3/hadoop-0.20.2-dev-core.jar"
-d classes/mapr2.1.3 src/main/java/water/hadoop/*.java
warning: [options] bootstrap class path not set in conjunction with -source 1.6
1 warning
jar cf target/h2odriver_mapr2.1.3.jar -C classes/mapr2.1.3 .
make build_inner HADOOP_VERSION=cdh3
mkdir classes/cdh3
javac -source 1.6 -target 1.6 -sourcepath src/main/java -classpath
"../lib/log4j/log4j-1.2.15.jar:../target/h2o.jar:../lib/hadoop/cdh3/hadoop-core-0.20.2-cdh3u6.jar" -d
classes/cdh3 src/main/java/water/hadoop/*.java
warning: [options] bootstrap class path not set in conjunction with -source 1.6
1 warning
jar cf target/h2odriver_cdh3.jar -C classes/cdh3 .
make build_inner HADOOP_VERSION=cdh4
mkdir classes/cdh4
javac -source 1.6 -target 1.6 -sourcepath src/main/java -classpath
"../lib/log4j/log4j-1.2.15.jar:../target/h2o.jar:../lib/hadoop/cdh4/hadoop-common.jar:../

It seems like h2o is using log4j, but I don't know much about Java and its dependencies.

Can anyone with more knowledge clearify whether the h2o-package is affected by the log4j vulnerability? And if so, how to solve or workaround this?

Thank you very much in advance.

like image 465
Jonas Avatar asked Sep 17 '25 13:09

Jonas

1 Answers

A jar file is just a compressed folder with a different name. You can explore your packages looking for this information.

H2Os official statement, including affected versions and recommendations: https://www.h2o.ai/security/bulletins/h2o-2021-001/

like image 200
Luna Avatar answered Sep 20 '25 03:09

Luna

Sign in to Comment

Related questions

Commons SCXML - Force jump to a given state
Curl Server Sent Event no output when pipe
What is REST API and user roles design Best Practice?
spring.profiles.active is not working in springboot application
How to apply gussian blur to the picture in openCV?
tomcat websocket servlet listening port
pass reflected enum to method.invoke java
Adding an Icon to JTable by overriding DefaultTableCellRenderer
Log4j2-RollingFile not writing when TimeBasedTriggeringPolicy enabled
How do I bulk import audio (.mp3/.wav etc) data to an Anki deck?
Counting sub matrix with all prime numbers
Reading multiple lines from server
How to set the jdbc ClientInfo in a MySQL DataSource
Toolkit.getDefaultToolkit().getScreenSize() doesn't get correct values of screen resolution
Spring connect to mongodb using username and password
Deserialize a class containing java.lang.CharSequence member variable
JavaParser: get field name from FieldDeclaration

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!