This is a static archive of our old OpenStreetMap Help Site. Please post any new questions and answers at community.osm.org.

Log4j and OSM

0

Just wondering if there were any known log4j vulnerabilities if folks are using the OSM Overpass API? Haven't seen any official statements put out by OSM like for other organizations. Admittedly I can't see how there would be issues, but since it's not super clear from the Wiki (to a novice like myself) how the API is structured I figured I'd ask.

asked 09 Feb '22, 18:01

sillywizard's gravatar image

sillywizard
16113
accept rate: 0%

edited 09 Feb '22, 18:23

One Answer:

2

OSMF only manage the "core" openstreetmap.org servers, which run mostly on Ruby on Rails, with some C optimizations, so I don't think they will issue any statement regarding Log4j.

The OSM ecosystem is quite diverse and not centrally managed, so you'll need to check every software you use.

The Overpass API you mention looks to be mostly coded in C++, so I don't think there would any trouble there.

Anyway, if I understand correctly the Log4Shell exploit, the trouble would be for server's administrators, not users.

Disclaimer : I'm neither security nor Java expert.

Regards.

answered 09 Feb '22, 18:48

H_mlet's gravatar image

H_mlet
5.4k1781
accept rate: 13%

Source code available on GitHub .