OWASP/owasp-java-encoder

log4j 1.2.17 dependency

l00zak opened this issue · 6 comments

It looks like it have some vulnerable log4j 1.2.17 dependency. Have you consider update to 2.17.2?

output from mvn dependency:tree command below

[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ encoder-esapi ---
[INFO] org.owasp.encoder:encoder-esapi:jar:1.2.3
[INFO] +- org.owasp.encoder:encoder:jar:1.2.3:compile
[INFO] +- org.owasp.esapi:esapi:jar:2.4.0.0:compile
[INFO] | +- com.io7m.xom:xom:jar:1.2.10:compile
[INFO] | +- commons-beanutils:commons-beanutils:jar:1.9.4:compile
[INFO] | | +- commons-logging:commons-logging:jar:1.2:compile
[INFO] | | - commons-collections:commons-collections:jar:3.2.2:compile
[INFO] | +- commons-configuration:commons-configuration:jar:1.10:compile
[INFO] | +- commons-lang:commons-lang:jar:2.6:compile
[INFO] | +- commons-fileupload:commons-fileupload:jar:1.4:compile
[INFO] | +- log4j:log4j:jar:1.2.17:compile
[INFO] | +- org.apache.commons:commons-collections4:jar:4.4:compile
[INFO] | +- org.apache-extras.beanshell:bsh:jar:2.0b6:compile
[INFO] | +- org.owasp.antisamy:antisamy:jar:1.6.8:compile
[INFO] | | +- net.sourceforge.htmlunit:neko-htmlunit:jar:2.61.0:compile
[INFO] | | +- org.apache.httpcomponents.client5:httpclient5:jar:5.1.3:compile
[INFO] | | | +- org.apache.httpcomponents.core5:httpcore5-h2:jar:5.1.3:compile
[INFO] | | | - commons-codec:commons-codec:jar:1.15:compile
[INFO] | | +- org.apache.httpcomponents.core5:httpcore5:jar:5.1.3:compile
[INFO] | | +- org.apache.xmlgraphics:batik-css:jar:1.14:compile
[INFO] | | | +- org.apache.xmlgraphics:batik-shared-resources:jar:1.14:compile
[INFO] | | | +- org.apache.xmlgraphics:batik-util:jar:1.14:compile
[INFO] | | | | +- org.apache.xmlgraphics:batik-constants:jar:1.14:compile
[INFO] | | | | - org.apache.xmlgraphics:batik-i18n:jar:1.14:compile
[INFO] | | | - org.apache.xmlgraphics:xmlgraphics-commons:jar:2.6:compile
[INFO] | | +- xerces:xercesImpl:jar:2.12.2:compile
[INFO] | | - xml-apis:xml-apis-ext:jar:1.3.04:compile
[INFO] | +- org.slf4j:slf4j-api:jar:1.7.36:compile
[INFO] | +- xml-apis:xml-apis:jar:1.4.01:compile
[INFO] | - commons-io:commons-io:jar:2.11.0:compile
[INFO] - junit:junit:jar:3.8.2:test

Yes, there's a transitive dependency on log4j 1.2.17 via ESAPI, but the ESAPI team has done a thorough analysis of all the Log4J 1 related vulnerabilities and ESAPI does not expose users to any them with its standard configuration (which is to use ConsoleAppender, although any of the FileAppenders should be fine as well). The ESAPI team has written up specific Security Bulletins discussing these. As long as you are not using something like JMSAppender or SMTPAppender or another of the vulnerable classes in your log4j.xml file, you should be fine.

I can point out the specific links to the Security Bulletins latter if you would like me to, but don't have time at the moment. There are about 6 of them.

-kevin wall, ESAPI project co-lead

Thanks for quick answer Kevin!
Found your statement about patching in ESAPI
https://groups.google.com/a/owasp.org/g/esapi-project-users/c/_CR8d-dpvMU?pli=1
As I understand log4j 1.2.17 will stay here until at least release of ESAPI 3.x because of backward compatibility, and there is no simple way to get rid of this dependency.

You could not be more clear Kevin!
Thanks for clarification :)

FYI - Related to this closed issue, the ESAPI team is currently working on releasing 2.5.0.0, which will remove ALL Log4J 1 dependencies. As of 7/13/2022, Log4J 1 will have been officially deprecated for 2 years, which we only kept that long because of our deprecation policy. But once 2.5.0.0 is released (I'm working on release notes now), all known CVEs should be dealt with, but to get the benefit, the Java Encoder project (well, the 'ESAPI Thunk' part that builds the 'encoder-esapi' jar) will have to update to ESAPI 2.5.0.0. I'm hoping to have that out RSN.