Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Is Cromwell affected by log4shell ?

See original GitHub issue

A simple grep through the source code reveals several hits with Log4j:

CromwellRefdiskManifestCreator/pom.xml:            <groupId>org.apache.logging.log4j</groupId>
CromwellRefdiskManifestCreator/pom.xml:            <artifactId>log4j-core</artifactId>
CromwellRefdiskManifestCreator/pom.xml:            <groupId>org.apache.logging.log4j</groupId>
CromwellRefdiskManifestCreator/pom.xml:            <artifactId>log4j-api</artifactId>
CromwellRefdiskManifestCreator/src/main/java/org/broadinstitute/manifestcreator/CromwellRefdiskManifestCreatorApp.java:import org.apache.logging.log4j.Level;
CromwellRefdiskManifestCreator/src/main/java/org/broadinstitute/manifestcreator/CromwellRefdiskManifestCreatorApp.java:import org.apache.logging.log4j.LogManager;
CromwellRefdiskManifestCreator/src/main/java/org/broadinstitute/manifestcreator/CromwellRefdiskManifestCreatorApp.java:import org.apache.logging.log4j.Logger;
CromwellRefdiskManifestCreator/src/main/java/org/broadinstitute/manifestcreator/CromwellRefdiskManifestCreatorApp.java:import org.apache.logging.log4j.core.config.Configurator;
project/Dependencies.scala:    // Replace all log4j usage with slf4j
project/Dependencies.scala:    // https://www.slf4j.org/legacy.html#log4j-over-slf4j
project/Dependencies.scala:    "org.slf4j" % "log4j-over-slf4j" % slf4jV

I wasn’t able to expose a vulnerability by using malicious code but my test is probably not extensive. It looks like this lib is used in a packaging tool of Cromwell so probably not executed during production. On the other hand, slj4j seems to be used everywere. Is that abstraction layer vulnerable ?

Could you please let us know if you believe Cromwell is affected by Log4shell ?

Thanks,

Issue Analytics

State:
Created 2 years ago
Comments:5 (3 by maintainers)

Top GitHub Comments

2reactions

aednicholscommented, Dec 17, 2021

We redundantly re-verified the absence of the problem class [0] by unzipping the shipping Cromwell JAR and manually checking that the path is empty.

[0] org/apache/logging/log4j/core/lookup/JndiLookup.class

2reactions

aednicholscommented, Dec 14, 2021

Cromwell itself does not use Log4j.

This can be verified by executing sbt dependencyTree and noting that all instances of “log4j” occur in org.slf4j:log4j-over-slf4j which is a Log4j compatibility bridge from a different project.

The utility tool CromwellRefdiskManifestCreator is written in Java and does use Log4j. It is not included in the Cromwell JAR. It is being updated presently.