Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Detection of potentially safe log4j 1.x after manual mitigation #60

Open
litew opened this issue Dec 20, 2021 · 1 comment
Open

Detection of potentially safe log4j 1.x after manual mitigation #60

litew opened this issue Dec 20, 2021 · 1 comment

Comments

@litew
Copy link

litew commented Dec 20, 2021
edited
Loading

Version of log4j_detector: log4j-detector-2021.12.20.jar

Hello,
currently log4j-detector logs following lines after finding log4j 1.x files:

$ sha256sum ./log4j-1.1.3.jar
635d4be0003f9b24f560a7835db59fef04d1102bac75824c5f1c6ae48aa626a9  ./log4j-1.1.3.jar

$ java -jar ./log4j-detector-2021.12.20.jar ./log4j-1.1.3.jar
/home/litew/Downloads/log4j-1.1.3.jar contains Log4J-1.x   <= 1.2.17 _OLD_

According to https://logging.apache.org/log4j/2.x/security.html, "CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.":

Log4j 1.x mitigation
Log4j 1.x does not have Lookups so the risk is lower. Applications using Log4j 1.x are only vulnerable to this attack when they use JNDI in their configuration. A separate CVE (CVE-2021-4104) has been filed for this vulnerability. To mitigate: Audit your logging configuration to ensure it has no JMSAppender configured. Log4j 1.x configurations without JMSAppender are not impacted by this vulnerability.

Mentioned CVE-2021-4104 has CVSS 8.1 HIGH score.

As https://access.redhat.com/security/cve/CVE-2021-4104 states - there is possibility to manually mitigate CVE-2021-4104 vulnerability by removing JMSAppender class from log4j 1.x jar with following command:

$ zip -q -d "/path/to/log4j-1x-file.jar" org/apache/log4j/net/JMSAppender.class

After doing this log4j_detector will still report this file as _OLD_:

$ sha256sum ./log4j-1.1.3.jar
b2fc57bc76999ee101036d3bea9993a07adbf79cb21804b5b79c733fbcb01578  ./log4j-1.1.3.jar

$ java -jar ./log4j-detector-2021.12.20.jar ./log4j-1.1.3.jar
/home/litew/Downloads/log4j-1.1.3.jar contains Log4J-1.x   <= 1.2.17 _OLD_

Could you please add option to report old log4j 1.x patched versions as potentially safe? Maybe add another status, such as _OLD_POTENTIALLY_SAFE or maybe _OLD_MANUAL_MITIGATION_APPLIED_.
@rgmz
Copy link

rgmz commented Dec 21, 2021
edited
Loading

@litew I don't think "OLD" has anything to do with CVE-2021-4104. The last version of log4j 1.x was published in 2012: it's unmaintained and has a myriad of other critical vulnerabilities.

Personally, I think you're just as much at risk using logj 1.x regardless of whether you remove JMSAppender.

Edit: this is actually mentioned in the README.

You are safe from CVE-2021-44228, but should plan to upgrade because Log4J 1.2.x has been EOL for 7 years and has several known-vulnerabilities.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@litew @rgmz