CVE-2023-6481 (High) detected in logback-core-1.2.10.jar #3821

mend-for-github-com · 2023-12-11T13:45:14Z

CVE-2023-6481 - High Severity Vulnerability

Vulnerable Library - logback-core-1.2.10.jar

logback-core module

Library home page: http://logback.qos.ch

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.2.10/5328406bfcae7bcdcc86810fcb2920d2c297170d/logback-core-1.2.10.jar

Dependency Hierarchy:

zookeeper-3.9.1.jar (Root Library)
- ❌ logback-core-1.2.10.jar (Vulnerable Library)

Found in HEAD commit: 6fc6967bbd0aa4c4c67c448f9cb2e97aca8095c7

Found in base branch: main

Vulnerability Details

A serialization vulnerability in logback receiver component part of
logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.

Publish Date: 2023-12-04

URL: CVE-2023-6481

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-6481

Release Date: 2023-12-04

Fix Resolution: ch.qos.logback:logback-core:1.2.13,1.3.14,1.4.14

stephen-crawford · 2023-12-11T16:04:58Z

[Triage] @derek-ho could you please add your findings here :)? Thank you.

Sounds like we need to upgrade the version to be in line with core.

derek-ho · 2023-12-11T16:43:26Z

Will be fixed by: #3823

### Description Resolve logback-classic to 1.2.13 to resolve GHSA-gm62-rw4g-vrc4 ### Issues Resolved Fix: #3821 Is this a backport? If so, please add backport PR # and/or commits # ### Testing [Please provide details of testing done: unit testing, integration testing and manual testing] ### Check List - [ ] New functionality includes testing - [ ] New functionality has been documented - [ ] Commits are signed per the DCO using --signoff By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin). Signed-off-by: Derek Ho <dxho@amazon.com>

### Description Resolve logback-classic to 1.2.13 to resolve GHSA-gm62-rw4g-vrc4 ### Issues Resolved Fix: opensearch-project#3821 Is this a backport? If so, please add backport PR # and/or commits # ### Testing [Please provide details of testing done: unit testing, integration testing and manual testing] ### Check List - [ ] New functionality includes testing - [ ] New functionality has been documented - [ ] Commits are signed per the DCO using --signoff By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin). Signed-off-by: Derek Ho <dxho@amazon.com> Signed-off-by: Prabhas Kurapati <prabhask@berkeley.edu>

### Description Resolve logback-classic to 1.2.13 to resolve GHSA-gm62-rw4g-vrc4 ### Issues Resolved Fix: opensearch-project#3821 Is this a backport? If so, please add backport PR # and/or commits # ### Testing [Please provide details of testing done: unit testing, integration testing and manual testing] ### Check List - [ ] New functionality includes testing - [ ] New functionality has been documented - [ ] Commits are signed per the DCO using --signoff By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin). Signed-off-by: Derek Ho <dxho@amazon.com>

mend-for-github-com bot added the Mend: dependency security vulnerability Security vulnerability detected by WhiteSource label Dec 11, 2023

github-actions bot added the untriaged Require the attention of the repository maintainers and may need to be prioritized label Dec 11, 2023

stephen-crawford added triaged Issues labeled as 'Triaged' have been reviewed and are deemed actionable. and removed untriaged Require the attention of the repository maintainers and may need to be prioritized labels Dec 11, 2023

derek-ho mentioned this issue Dec 11, 2023

Resolve logback-classic to 1.2.13 #3823

Merged

3 tasks

willyborankin closed this as completed in #3823 Dec 11, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2023-6481 (High) detected in logback-core-1.2.10.jar #3821

CVE-2023-6481 (High) detected in logback-core-1.2.10.jar #3821

mend-for-github-com bot commented Dec 11, 2023

stephen-crawford commented Dec 11, 2023

derek-ho commented Dec 11, 2023

CVE-2023-6481 (High) detected in logback-core-1.2.10.jar #3821

CVE-2023-6481 (High) detected in logback-core-1.2.10.jar #3821

Comments

mend-for-github-com bot commented Dec 11, 2023

CVE-2023-6481 - High Severity Vulnerability

stephen-crawford commented Dec 11, 2023

derek-ho commented Dec 11, 2023