Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

log4j JNDI vulnerability #96

Closed
zahirtezcan-bugs opened this issue Dec 14, 2021 · 4 comments
Closed

log4j JNDI vulnerability #96

zahirtezcan-bugs opened this issue Dec 14, 2021 · 4 comments

Comments

@zahirtezcan-bugs
Copy link

Is this project affected by CVE-2021-44228?

Cheatsheet:
https://www.techsolvency.com/story-so-far/cve-2021-44228-log4j-log4shell/

Logback issue:
https://jira.qos.ch/browse/LOGBACK-1591?filter=-6

Log4j issue:
elastic/elasticsearch#81620
@julichan
Copy link

As far as I m concerned, this may be fixed in installatable version but Docker versions still contain log4j-core-2.11.1.jar

@ashie
Copy link
Member

ashie commented Dec 20, 2021

fluent-logger-java doesn't depend on Log4j2:

$ mvn dependency:tree
[INFO] Scanning for projects...
[INFO] 
[INFO] ---------------------< org.fluentd:fluent-logger >----------------------
[INFO] Building Fluent Logger for Java 0.3.5-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
[INFO] 
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ fluent-logger ---
[INFO] org.fluentd:fluent-logger:jar:0.3.5-SNAPSHOT
[INFO] +- org.msgpack:msgpack:jar:0.6.8:compile
[INFO] |  +- com.googlecode.json-simple:json-simple:jar:1.1.1:compile
[INFO] |  \- org.javassist:javassist:jar:3.16.1-GA:compile
[INFO] +- org.slf4j:slf4j-api:jar:1.7.6:compile
[INFO] +- ch.qos.logback:logback-classic:jar:1.1.1:test
[INFO] |  \- ch.qos.logback:logback-core:jar:1.1.1:test
[INFO] \- junit:junit:jar:4.8.2:test
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  0.608 s
[INFO] Finished at: 2021-12-20T14:32:31+09:00
[INFO] ------------------------------------------------------------------------

Docker versions still contain log4j-core-2.11.1.jar

What does mean Docker versions?
AFAIK fluent-logger-java is a library so that it's not distributed by Docker container without application.
It your application distributed by a Docker container has the issue, it's an issue of your application or Docker container.

@ashie ashie closed this as completed Dec 20, 2021
@julichan
Copy link

julichan commented Dec 20, 2021
edited
Loading

Hey @ashie, i only used unmodified docker versions of logstash and elasticsearch from docker.elastic.co. at least one of them in 6.8.21 and 7.16.1 still contained log4j-core 2.11.0.jar even if the class was extracted as per the proposed mitigation. I did not check other versions personally.
Even if the fix was the recommended mitigation, it's still just a mitigation, not a fix and doesn't pass security scanners.
Now 6.8.22 and 7.16.2 are completely fixed with log4j 2.17.0 so it's all good and really fixed.

@zahirtezcan-bugs
Copy link
Author

@ashie I thought this issue could be used to track mentioned logback issue. Since logback was a fork of log4j I thought that may be relevant.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ashie @julichan @zahirtezcan-bugs