DbxTune icon indicating copy to clipboard operation
DbxTune copied to clipboard
verified publisher icon goranschwarz

Nessus security scan complains about "Apache Log4j SEoL"

Open plix1014 opened this issue 1 year ago • 7 comments

Nessus complains outdated log4j version.

Apache Log4j 1.2 JMSAppender Remote Code Execution (CVE-2021-4104) Apache Log4j 1.x Multiple Vulnerabilities Apache Log4j SEoL (<= 1.x)

Reported version: asetune\lib\log4j-1.2.17.jar Fixed version : 2.16.0

Please update to a recent version.

plix1014 avatar Nov 25 '24 08:11 plix1014

Upgrading Log4J to version 2 has been on my TODO list for a while
Hopefully I will have time to do it soon, but more work than just switching to a new JAR...

The last time I made an attempt at it, I gave up... I had to much integration with the internals of Log4J. But hopefully I can rewrite or skip some parts of that!

My plan i to release a new public release of DbxTune within 1-3 months, hopefully It will use Log4j 2

I will keep this Issue open until it's solved!

goranschwarz avatar Nov 25 '24 16:11 goranschwarz

great, thanks

plix1014 avatar Nov 26 '24 16:11 plix1014

Log4j 1.7 has now been replaced with Log4j 2.24.3

I also made a bunch of changes (like renaming package from com.asetune to com.dbxtune and the JAR file is now called dbxtune.jar But hopefully you will not notice those changes (if everything works as expected)

Here is a test version that you can try: https://gorans.org/www/dbxtune/tmp/dbxtune_2025-02-08.zip
Let me know if the above ZIP file work for you!
And if you have any issues, let me know!

It would be nice to get confirmation that the "security scanner" also is "happier" after this version!

@plix1014: If this version works out fine, please close the Issue :)

goranschwarz avatar Feb 08 '25 19:02 goranschwarz

By the way: What Collector are you using... AseTune, SqlServerTune or PostgresTune
Are you using GUI or NO-GUI mode And: Are you also using DbxCentral ???

goranschwarz avatar Feb 08 '25 20:02 goranschwarz

Thanks for the update, I will install it and wait for the next nessus scan. I'm using ASETune for Sybase ASE 15/16 in Gui mode. Didn't know, that there is also a no-gui mode and I can't image a scenario where it is useful either.

plix1014 avatar Feb 10 '25 17:02 plix1014

Scenario is:

  • Constant monitoring of one/several servers
  • Alarm Handling if something happens (for example via email):
    • A Blocking lock situation
    • Long running transaction (which may lead to a blocking lock)
    • No Backups has been taken for a while
    • If you have a HA/WarmStandby system -- Is it replication data or not...
    • etc, etc...
  • Daily Summary Reports -- Get a summary of todays behavior/usage
  • From a Web UI, look at "stuff" that happened yesterday, a week ago... 6 months ago...
  • Hey: Even developers might be interested in viewing how there implementation behaves in the Development environment (if monitored)
  • You probably have more than one DBMS Vendor at your company...
    • Well monitor them all from DbxTune
    • All will be visible from DbxCentral
    • Create a dashboard with the Metrics you want to see for all servers, on the same page
    • Or just use the landing page, and look for green or red lights to see overall health

I use this all the time for all of my customers!

More details

Have a look at what DbxTune can do at: https://dbxtune.com/ For a Architectural overview of NO-GUI DbxTune/DbxCentral: https://github.com/goranschwarz/DbxTune?tab=readme-ov-file#dbx-central---short-overview

Have a look

You can also have a look at my "demo/test" environment for DbxTune/DbxCentral: http://dbxtune.gorans.org/ Where I have a couple of servers attached

  • Sybase ASE (in various versions: 12.5.4, 15.5, 15,7 & 16), GORANS_UB3_DS is version 16
  • Microsoft SQL Server (in various 2016 & 2019, both on Linux and Windows)
  • Postgres (version: 12.7 & 16.2)
  • MySQL (version 8)

The servers are typically idle most of the time, but you may get an idea!

Click on any of the servers, and select:

  • Show ALL Available Graphs
  • Show System Selected Graphs
  • Open Latest Daily Summary Reports -- To View a Daily Summary Report

See Some activity

But since the servers are mostly idle, you can look at one of the SQL Servers, that at least does some job.

  • GS-1-WIN__SS_2016 (or prod-2a-mssql)...
    • Click: Show System or ALL Graphs
  • In the "top right" (calendar icon) choose "Last 24 hours"
  • Then click on the graph where you have a peak (at around 04:00 to 09:00)
    (or clicking the icon "Circle time back" at the top right corner)
    • This will enter: "history mode"
  • On the "top" you have a "slider" with green marks (meaning you have: Active SQL Statements)
  • When you are positioned on a "Active SQL Statement", a popup will be displayd with what was executed
  • Click on the checkbox in column:
    • HasSqlText -- To see the SQL Statement
    • HasQueryPlan or HasLiveQueryPlan -- To see the Execution plan
    • HasSpidLocks -- To see what locks that SPID has at the moment
    • HasBlockedSpidInfo -- To view responsible blocker and what the affected blocked spid's are doing...
    • etc...

Sybase ASE dosn't have the exact same columns names and info, but more or less the same (it's the columns from CmActiveStatements) After that short intro, you might understand why It might be useful ;)

PS. You can also use the GUI Tool and connect to any of the detailed recordings, and view historical details of the recording... Looking at the same data as you do "live" today... But now you can "backtrack" what happened at 03:00 at night

Now, when "someone" at you company says:

  • I had an issue 3 days ago, do you know what happened...)

Now you can say:

  • What time was it?
  • Lets have a look at it ;)

Up's... this became longer than anticipated ;)

goranschwarz avatar Feb 10 '25 18:02 goranschwarz

Any input on Log4j2 implementation?
Does it work as expected?
Or did the scanner pick up some issues

goranschwarz avatar Mar 08 '25 14:03 goranschwarz

Close due to: No response from reporter

goranschwarz avatar Oct 05 '25 17:10 goranschwarz