log4j JNDI vulnerability

Question

log4j JNDI vulnerability

zahirtezcan-bugs opened this issue 3 years ago · 4 comments

zahirtezcan-bugs commented 3 years ago

Is this project affected by CVE-2021-44228?

Cheatsheet:
https://www.techsolvency.com/story-so-far/cve-2021-44228-log4j-log4shell/

Logback issue:
https://jira.qos.ch/browse/LOGBACK-1591?filter=-6

Log4j issue:
elastic/elasticsearch#81620

Answer 1 · 2021-12-14T09:31:19.000Z

As far as I m concerned, this may be fixed in installatable version but Docker versions still contain log4j-core-2.11.1.jar

Answer 2 · 2021-12-20T05:41:08.000Z

fluent-logger-java doesn't depend on Log4j2:

$ mvn dependency:tree
[INFO] Scanning for projects...
[INFO] 
[INFO] ---------------------< org.fluentd:fluent-logger >----------------------
[INFO] Building Fluent Logger for Java 0.3.5-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ fluent-logger ---
[INFO] org.fluentd:fluent-logger:jar:0.3.5-SNAPSHOT
[INFO] +- org.msgpack:msgpack:jar:0.6.8:compile
[INFO] |  +- com.googlecode.json-simple:json-simple:jar:1.1.1:compile
[INFO] |  \- org.javassist:javassist:jar:3.16.1-GA:compile
[INFO] +- org.slf4j:slf4j-api:jar:1.7.6:compile
[INFO] +- ch.qos.logback:logback-classic:jar:1.1.1:test
[INFO] |  \- ch.qos.logback:logback-core:jar:1.1.1:test
[INFO] \- junit:junit:jar:4.8.2:test
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  0.608 s
[INFO] Finished at: 2021-12-20T14:32:31+09:00
[INFO] ------------------------------------------------------------------------

Docker versions still contain log4j-core-2.11.1.jar

What does mean Docker versions?
AFAIK fluent-logger-java is a library so that it's not distributed by Docker container without application.
It your application distributed by a Docker container has the issue, it's an issue of your application or Docker container.

Answer 3 · 2021-12-20T11:54:20.000Z

Hey @ashie, i only used unmodified docker versions of logstash and elasticsearch from docker.elastic.co. at least one of them in 6.8.21 and 7.16.1 still contained log4j-core 2.11.0.jar even if the class was extracted as per the proposed mitigation. I did not check other versions personally.
Even if the fix was the recommended mitigation, it's still just a mitigation, not a fix and doesn't pass security scanners.
Now 6.8.22 and 7.16.2 are completely fixed with log4j 2.17.0 so it's all good and really fixed.

Answer 4 · 2021-12-28T08:10:00.000Z

@ashie I thought this issue could be used to track mentioned logback issue. Since logback was a fork of log4j I thought that may be relevant.