log4j 1.2.17 dependency
l00zak opened this issue · 6 comments
It looks like it have some vulnerable log4j 1.2.17 dependency. Have you consider update to 2.17.2?
output from mvn dependency:tree command below
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ encoder-esapi ---
[INFO] org.owasp.encoder:encoder-esapi:jar:1.2.3
[INFO] +- org.owasp.encoder:encoder:jar:1.2.3:compile
[INFO] +- org.owasp.esapi:esapi:jar:2.4.0.0:compile
[INFO] | +- com.io7m.xom:xom:jar:1.2.10:compile
[INFO] | +- commons-beanutils:commons-beanutils:jar:1.9.4:compile
[INFO] | | +- commons-logging:commons-logging:jar:1.2:compile
[INFO] | | - commons-collections:commons-collections:jar:3.2.2:compile
[INFO] | +- commons-configuration:commons-configuration:jar:1.10:compile
[INFO] | +- commons-lang:commons-lang:jar:2.6:compile
[INFO] | +- commons-fileupload:commons-fileupload:jar:1.4:compile
[INFO] | +- log4j:log4j:jar:1.2.17:compile
[INFO] | +- org.apache.commons:commons-collections4:jar:4.4:compile
[INFO] | +- org.apache-extras.beanshell:bsh:jar:2.0b6:compile
[INFO] | +- org.owasp.antisamy:antisamy:jar:1.6.8:compile
[INFO] | | +- net.sourceforge.htmlunit:neko-htmlunit:jar:2.61.0:compile
[INFO] | | +- org.apache.httpcomponents.client5:httpclient5:jar:5.1.3:compile
[INFO] | | | +- org.apache.httpcomponents.core5:httpcore5-h2:jar:5.1.3:compile
[INFO] | | | - commons-codec:commons-codec:jar:1.15:compile
[INFO] | | +- org.apache.httpcomponents.core5:httpcore5:jar:5.1.3:compile
[INFO] | | +- org.apache.xmlgraphics:batik-css:jar:1.14:compile
[INFO] | | | +- org.apache.xmlgraphics:batik-shared-resources:jar:1.14:compile
[INFO] | | | +- org.apache.xmlgraphics:batik-util:jar:1.14:compile
[INFO] | | | | +- org.apache.xmlgraphics:batik-constants:jar:1.14:compile
[INFO] | | | | - org.apache.xmlgraphics:batik-i18n:jar:1.14:compile
[INFO] | | | - org.apache.xmlgraphics:xmlgraphics-commons:jar:2.6:compile
[INFO] | | +- xerces:xercesImpl:jar:2.12.2:compile
[INFO] | | - xml-apis:xml-apis-ext:jar:1.3.04:compile
[INFO] | +- org.slf4j:slf4j-api:jar:1.7.36:compile
[INFO] | +- xml-apis:xml-apis:jar:1.4.01:compile
[INFO] | - commons-io:commons-io:jar:2.11.0:compile
[INFO] - junit:junit:jar:3.8.2:test
Yes, there's a transitive dependency on log4j 1.2.17 via ESAPI, but the ESAPI team has done a thorough analysis of all the Log4J 1 related vulnerabilities and ESAPI does not expose users to any them with its standard configuration (which is to use ConsoleAppender
, although any of the FileAppender
s should be fine as well). The ESAPI team has written up specific Security Bulletins discussing these. As long as you are not using something like JMSAppender
or SMTPAppender
or another of the vulnerable classes in your log4j.xml file, you should be fine.
I can point out the specific links to the Security Bulletins latter if you would like me to, but don't have time at the moment. There are about 6 of them.
-kevin wall, ESAPI project co-lead
Thanks for quick answer Kevin!
Found your statement about patching in ESAPI
https://groups.google.com/a/owasp.org/g/esapi-project-users/c/_CR8d-dpvMU?pli=1
As I understand log4j 1.2.17 will stay here until at least release of ESAPI 3.x because of backward compatibility, and there is no simple way to get rid of this dependency.
You could not be more clear Kevin!
Thanks for clarification :)
FYI - Related to this closed issue, the ESAPI team is currently working on releasing 2.5.0.0, which will remove ALL Log4J 1 dependencies. As of 7/13/2022, Log4J 1 will have been officially deprecated for 2 years, which we only kept that long because of our deprecation policy. But once 2.5.0.0 is released (I'm working on release notes now), all known CVEs should be dealt with, but to get the benefit, the Java Encoder project (well, the 'ESAPI Thunk' part that builds the 'encoder-esapi' jar) will have to update to ESAPI 2.5.0.0. I'm hoping to have that out RSN.