Flogger pulls in vulnerable log4j2 version (CVE-2021-44228)

Question

Flogger pulls in vulnerable log4j2 version (CVE-2021-44228)

philwo opened this issue 3 years ago · 5 comments

I sent a PR to bazel-common to bump the library there: google/bazel-common#144

When it's merged, we'll have to update our reference here: https://github.com/google/flogger/blob/master/WORKSPACE#L23-L28

Answer 1 · 2021-12-11T09:42:29.000Z

FYI @hagbard @cgdecker

Answer 2 · 2021-12-11T10:53:36.000Z

Flogger uses an explicit SimpleMessage so I believe it's not vulnerable.

BTW, log4j 2.15 requires JDK >= 8, and AFAICT Flogger aims at supporting JDK 7 too.

Answer 3 · 2021-12-11T15:49:01.000Z

As tbroyer says it doesn't look like someone using log4j via Flogger's log4j2 backend should be affected by this. That said, I've gone ahead and updated the dependency version in a573072.

Answer 4 · 2021-12-12T13:13:04.000Z

Fwiw, I was wrong: Flogger is vulnerable, as Log4j does lookups after the message is fully formatted (which is also why lookups in message arguments are evaluated)

Answer 5 · 2021-12-12T14:36:15.000Z

Yeah, looks like you're right. At any rate I've just pushed Flogger 0.7.2 to Maven Central, which updates the dependency (though of course anyone using Flogger with log4j should also be able to upgrade the log4j version without needing to change the Flogger version.)