Vulnerable version of Log4j detected

[brownmic117]

Hail!

When deploying Webots to our labs, our security solution lit up with warnings that Webots [R2023a] is running a vulnerable version of Log4j (lisum-gui.jar)

As we're now caught in the rough position of cybersecurity wanting us to get shot of Webots due to the vulnerability, and the academic teams stating that there is nothing other than Webots will do the job -- I don't suppose there is any way for us to patch Webots to mitigate this vulnerability? (I could delete 'lisum-gui.jar' on each installation... but I have yet to learn what it does, thus, what or how much it will break.)

[ad-daniel]

It seems to be a dependency of SUMO, which is the traffic simulator used by Webots.
As far as I can tell, the log4j vulnerability in SUMO should have been fixed with sumo 1.11 (Webots uses 1.13), so it's a bit odd that it still gets flagged

[ad-daniel]

Makes sense then, we're looking into upgrading to 1.13 for windows as well, we'll let you know when a patched version is available in a nightly build

[brownmic117]

Awesome! Cheers @ad-daniel 👍

[ad-daniel]

@BenjaminDeleze just merged the updated version with this pull request, if all goes well with tonight's build, webots-R2023a-rev1_setup.exe should be available tomorrow morning here. Let us know if problems persist

[brownmic117]

Nightly build deployed. No word yet on if it's tripping the vulnerability scanners, but I should know by morning if the vulnerability has been sealed. Will let you know as soon as I have confirmation!

[brownmic117]

@ad-daniel -- Sorry for the delayed response; it took some time for cyber to get back to me. All is clear now; no sign of Log4j alerts on the network since deploying webots-R2023a-rev1_setup.exe

Cheers for the help!