Hope you are doing well!
I am relatively new to graylog so just wanted to check with the community to be 100% sure that it does not use any of the spring modules internally for any of it’s features as there has been a vulnerability detected in Spring Core on JDK9+ version.
You may want to look at this documentation.
Pardon me but I don’t see how this addresses the question. Does Graylog use Spring and Tomcat? Which JDK version is used in the official Docker and VM images?
At a glance the answer is no it doesn’t use Spring, and the official Docker uses JDK 8 anyway.
Don’t know about Docker and/or what version your talking about. The question above does not state what installation is being used so I assume its from a package handler in which Oracle Java SE 17
or OpenJDK 17 works.
Don’t know about Docker
The official Docker images linked on the releases page.
Announcing Graylog v4.2.7 | Graylog for example.
I am running Graylog 3.3.3 and when I check the nodes in the interface they reported running JDK 1.8.
Our environment we use that latest Docker version 4.2.7 /w OpenJDK 11.
I was looking this issue up since I have time and noticed a statement that this a new SpringShell 0-day Vulnerability. Is this correct? I was assume this was from last year.
@dscryber I was research this further by chance you have any info on this?
Spring4Shell: Spring users face new, zero-day vulnerability | The Daily Swig
Thanks for chiming in on this post, I totally over look this.
Maybe one of the staff members could enlighten us about this.
Also quite new to Graylog. I am checking the repository (*) and there would appear to be no references to Spring libraries in the project.
Is this validation correct to verify if there can be a potential security concern regarding SpringShell 0-day Vulnerability?
graylog2-server/pom.xml at master · Graylog2/graylog2-server · GitHub
Graylog does not use Spring framework in any supported version through 4.2.7.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.