localstack
dynamodb-local contains snakeyaml cve issues
Is there an existing issue for this?
- [X] I have searched the existing issues
Current Behavior
The program usr/lib/localstack/dynamodb-local has the CVE-2022-1471 - org.yaml:snakeyaml It installs 0:1.33 the fix is in 2.0 snakeyaml
Expected Behavior
No response
How are you starting LocalStack?
Custom (please describe below)
Steps To Reproduce
Amazon inspector scan
Environment
- OS: am64
- LocalStack:
LocalStack version: 3.7.2
Anything else?
No response
Welcome to LocalStack! Thanks for reporting your first issue and our team will be working towards fixing the issue for you or reach out for more background information. We recommend joining our Slack Community for real-time help and drop a message to LocalStack Pro Support if you are a Pro user! If you are willing to contribute towards fixing this issue, please have a look at our contributing guidelines and our contributing guide.
Hello Our automated container test tool also detected a vulnerable Snake YAML library inside the latest images.
I did some image inspection and I found that inside the Docker image there is this file: usr/lib/localstack/dynamodb-local/latest/DynamoDBLocal_lib/Log4j-core-2.x.jar
This particular instance of Log4j-core-2.x.jar file is different from log4j-core-2.24.1 as I can retrieve from https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core/2.24.1
In particular, localstack bundled Log4j-core-2.x.jar file includes these files which are not part of the officially distributed file on mvn repository:
org/apache/logging/log4j/internal_do_not_import_378922/com/fasterxml/jackson/databind/PropertyNamingStrategy$SnakeCaseStrategy.class org/apache/logging/log4j/internal_do_not_import_378922/com/fasterxml/jackson/dataformat/yaml/snakeyaml/ org/apache/logging/log4j/internal_do_not_import_378922/com/fasterxml/jackson/dataformat/yaml/snakeyaml/error/ org/apache/logging/log4j/internal_do_not_import_378922/com/fasterxml/jackson/dataformat/yaml/snakeyaml/error/Mark.class org/apache/logging/log4j/internal_do_not_import_378922/com/fasterxml/jackson/dataformat/yaml/snakeyaml/error/MarkedYAMLException.class org/apache/logging/log4j/internal_do_not_import_378922/com/fasterxml/jackson/dataformat/yaml/snakeyaml/error/YAMLException.class org/apache/logging/log4j/internal_do_not_import_378922/com/fasterxml/jackson/dataformat/yaml/snakeyaml/error/package-info.class META-INF/maven/org.yaml/snakeyaml/ META-INF/maven/org.yaml/snakeyaml/pom.properties META-INF/maven/org.yaml/snakeyaml/pom.xml org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/ org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/DumperOptions$FlowStyle.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/DumperOptions$LineBreak.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/DumperOptions$NonPrintableStyle.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/DumperOptions$ScalarStyle.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/DumperOptions$Version.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/DumperOptions.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/LoaderOptions.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/comments/ org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/comments/CommentEventsCollector$1.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/comments/CommentEventsCollector.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/comments/CommentLine.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/comments/CommentType.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/emitter/ org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/emitter/Emitable.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/emitter/Emitter$1.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/emitter/Emitter$ExpectBlockMappingKey.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/emitter/Emitter$ExpectBlockMappingSimpleValue.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/emitter/Emitter$ExpectBlockMappingValue.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/emitter/Emitter$ExpectBlockSequenceItem.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/emitter/Emitter$ExpectDocumentEnd.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/emitter/Emitter$ExpectDocumentRoot.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/emitter/Emitter$ExpectDocumentStart.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/emitter/Emitter$ExpectFirstBlockMappingKey.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/emitter/Emitter$ExpectFirstBlockSequenceItem.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/emitter/Emitter$ExpectFirstDocumentStart.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/emitter/Emitter$ExpectFirstFlowMappingKey.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/emitter/Emitter$ExpectFirstFlowSequenceItem.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/emitter/Emitter$ExpectFlowMappingKey.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/emitter/Emitter$ExpectFlowMappingSimpleValue.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/emitter/Emitter$ExpectFlowMappingValue.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/emitter/Emitter$ExpectFlowSequenceItem.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/emitter/Emitter$ExpectNothing.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/emitter/Emitter$ExpectStreamStart.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/emitter/Emitter.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/emitter/EmitterException.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/emitter/EmitterState.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/emitter/ScalarAnalysis.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/error/ org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/error/Mark.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/error/MarkedYAMLException.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/error/YAMLException.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/events/ org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/events/AliasEvent.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/events/CollectionEndEvent.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/events/CollectionStartEvent.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/events/CommentEvent.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/events/DocumentEndEvent.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/events/DocumentStartEvent.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/events/Event$ID.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/events/Event.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/events/ImplicitTuple.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/events/MappingEndEvent.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/events/MappingStartEvent.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/events/NodeEvent.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/events/ScalarEvent.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/events/SequenceEndEvent.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/events/SequenceStartEvent.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/events/StreamEndEvent.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/events/StreamStartEvent.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/external/ org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/external/com/ org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/external/com/google/ org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/external/com/google/gdata/ org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/external/com/google/gdata/util/ org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/external/com/google/gdata/util/common/ org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/external/com/google/gdata/util/common/base/ org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/external/com/google/gdata/util/common/base/Escaper.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/external/com/google/gdata/util/common/base/PercentEscaper.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/external/com/google/gdata/util/common/base/UnicodeEscaper$1.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/external/com/google/gdata/util/common/base/UnicodeEscaper$2.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/external/com/google/gdata/util/common/base/UnicodeEscaper.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/nodes/ org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/nodes/Node.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/nodes/NodeId.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/nodes/Tag.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/parser/ org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/parser/Parser.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/parser/ParserException.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/parser/ParserImpl$1.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/parser/ParserImpl$ParseBlockMappingFirstKey.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/parser/ParserImpl$ParseBlockMappingKey.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/parser/ParserImpl$ParseBlockMappingValue.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/parser/ParserImpl$ParseBlockMappingValueComment.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/parser/ParserImpl$ParseBlockMappingValueCommentList.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/parser/ParserImpl$ParseBlockNode.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/parser/ParserImpl$ParseBlockSequenceEntryKey.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/parser/ParserImpl$ParseBlockSequenceEntryValue.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/parser/ParserImpl$ParseBlockSequenceFirstEntry.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/parser/ParserImpl$ParseDocumentContent.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/parser/ParserImpl$ParseDocumentEnd.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/parser/ParserImpl$ParseDocumentStart.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/parser/ParserImpl$ParseFlowEndComment.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/parser/ParserImpl$ParseFlowMappingEmptyValue.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/parser/ParserImpl$ParseFlowMappingFirstKey.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/parser/ParserImpl$ParseFlowMappingKey.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/parser/ParserImpl$ParseFlowMappingValue.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/parser/ParserImpl$ParseFlowSequenceEntry.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/parser/ParserImpl$ParseFlowSequenceEntryMappingEnd.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/parser/ParserImpl$ParseFlowSequenceEntryMappingKey.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/parser/ParserImpl$ParseFlowSequenceEntryMappingValue.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/parser/ParserImpl$ParseFlowSequenceFirstEntry.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/parser/ParserImpl$ParseImplicitDocumentStart.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/parser/ParserImpl$ParseIndentlessSequenceEntryKey.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/parser/ParserImpl$ParseIndentlessSequenceEntryValue.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/parser/ParserImpl$ParseStreamStart.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/parser/ParserImpl.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/parser/Production.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/parser/VersionTagsTuple.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/reader/ org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/reader/ReaderException.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/reader/StreamReader.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/resolver/ org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/resolver/Resolver$1.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/resolver/Resolver.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/resolver/ResolverTuple.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/scanner/ org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/scanner/Constant.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/scanner/Scanner.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/scanner/ScannerException.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/scanner/ScannerImpl$Chomping.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/scanner/ScannerImpl.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/scanner/SimpleKey.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/serializer/ org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/serializer/AnchorGenerator.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/serializer/NumberAnchorGenerator.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/tokens/ org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/tokens/AliasToken.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/tokens/AnchorToken.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/tokens/BlockEndToken.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/tokens/BlockEntryToken.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/tokens/BlockMappingStartToken.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/tokens/BlockSequenceStartToken.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/tokens/CommentToken.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/tokens/DirectiveToken.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/tokens/DocumentEndToken.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/tokens/DocumentStartToken.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/tokens/FlowEntryToken.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/tokens/FlowMappingEndToken.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/tokens/FlowMappingStartToken.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/tokens/FlowSequenceEndToken.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/tokens/FlowSequenceStartToken.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/tokens/KeyToken.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/tokens/ScalarToken.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/tokens/StreamEndToken.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/tokens/StreamStartToken.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/tokens/TagToken.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/tokens/TagTuple.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/tokens/Token$ID.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/tokens/Token.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/tokens/ValueToken.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/util/ org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/util/ArrayStack.class org/apache/logging/log4j/internal_do_not_import_378922/org/yaml/snakeyaml/util/UriEncoder.class ^^^ Log4j-core-2.x.jar ^^^
All of these files in directory "internal_do_not_import" are not in the official log4j-core-2.24.1 and they do carry a security vulnerability.
These exist in the latest image available today for amd64, tag latest, digest sha256:4b6debd74b7aa6705cd322bede0fb5a8aa54c34aaf662a4e5a05bf45dce79f4c
Please consider this a security issue for a long time known vulnerability, which is being distributed to a large user base.
Hope the report above will help.
Thanks Gianluca Bonetti
Upon further analysis I can say it is not Localstack fault or issue.
Localstack uses Dynamodb_local from AWS. The official Dynamodb_local distribution can be download from: https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DynamoDBLocal.DownloadingAndRunning.html
As of today 2024-11-03 the official Dynamodb_local tarball does include the Log4j-core-2.x.jar file with the internal_do_not_import_378922 directory bundled inside, and the vulnerable Snake YAML library. https://d1ni2b6xgvw0s0.cloudfront.net/v2.x/dynamodb_local_latest.tar.gz SHA256 f5296028d645bb2d3f99fede0a36945956eb7386174430e75c00e6fb1b34e78d
Cheers Gianluca Bonetti
The issue has been reported to AWS for security review of the Dynamodb_local bundles.
I directly spoke with AWS support team and we should have an update within the next couple of days.
https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DynamoDBLocal.DownloadingAndRunning.html
https://d1ni2b6xgvw0s0.cloudfront.net/v2.x/dynamodb_local_latest.tar.gz
The fix was released on the 2024-11-06 and you can use the link above to download the tarball.
This should be included in dynamodb-local from now on
Hello I am afraid it is not fixed. I downloaded that file, which is the same on AWS page (sha256 875cb27dc7843d0d24263f0e1521280f9bfdf0ebf0e69fbd1b4cb00e7c8658e0)
The file still contains a custom Log4j build, which includes files not supposed to be there, as the folder name is clearly "do_not_import" So I am afraid this is not fixed yet.
If you look into the tarball it is using log4j 2.x which contains the actual fix. https://d1ni2b6xgvw0s0.cloudfront.net/v2.x/dynamodb_local_latest.tar.gz
Yes indeed I just downloaded the tarball file (with sha256 875cb27dc7843d0d24263f0e1521280f9bfdf0ebf0e69fbd1b4cb00e7c8658e0 so it is the latest one as published on website) but the same applies to zip file.
Inside DynamoDBLocal_lib there are: Log4j-api-2.x.jar Log4j-core-2.x.jar <-- this one contains SnakeYaml and more dangling build files in "do_not_import" folder Log4j-slf4j-2.x.jar
Again with a name which is not the official naming convention as published on Maven Repository which is (for the latest) log4j-core-2.24.2.jar != Log4j-core-2.x.jar
So that lib is still built as before, and includes embedded libraries instead of relying on dependencies pulled from Maven Repository. It doesn't seem fixed to me, looks all as weeks ago. Please check as well by downloading the file and inspecting DynamoDBLocal_lib folder, and Log4j-core-2.x.jar inside it. I am just pointing out what is inside there, trying to help.
Thanks Gianluca
I am on the same boat as you. Will contact AWS again but I need to know how you got that version.
I understand you ran unzip -l Log4j-core-2.x.jar
Yes I downloaded multiple times today and they always match sha256 875cb27dc7843d0d24263f0e1521280f9bfdf0ebf0e69fbd1b4cb00e7c8658e0 Then expanded the tarball and ran "unzip -v Log4j-core-2.x.jar" Zip file include the same Log4j-core-2.x.jar Thanks Gianluca
From our analysis, Log4j-core-2.x.jar includes a build of SnakeYaml from a vulnerable version. Not sure why a folder named "do_not_import" should be there, it looks like a build pipeline problem. Secondly, I also don't understand why rely on a custom built Log4j when newer versions are ready to be used from Maven Repository. I feel like it is a true positive.
They confirmed that they internal_do_not_import is not indicative of a security issue and it is their own internal package structure. They also use a custom build of log4j and they will use a maven import for log4j somewhat in the future. This is a false positive
do_not _import does not show a security issue, but a build quality issue, and usually low quality builds carry security issues. The problem is within the do_not_import there is a vulnerable version of SnakeYAML as pointed out in the original message opening this bug.
That's one of the thing they said to me
To clarify a few points discussed with AWS teams:
* The patched version of Log4j is a custom-built internal version that includes the necessary security fixes.
* The folder naming convention "do_not_import_<>" you may have noticed is part of our internal dependency management system and does not indicate the presence of vulnerable software.
* We are currently using our internal package structure, which is why we haven't switched to the Maven dependency. However, we do have plans to transition to the Maven dependency in the future, although we don't have a specific timeline for this change at the moment.
Ok we re-inspected the dynamodb_local and SnakeYAML vulnerability is not there any more. However dynamodb_local includes more files containing vulnerabilities including some of high severity level. This includes:
- ion-java-1.5.1 CVE-2024-21634 severity 7.5 <-- high
- jetty-server-12.0.8.jar CVE-2024-8184/6.5 and CVE-2024-6763/5.3
- netty-common CVE-2024-6763/5.3 and CVE-47535/5.5 I will update my request to Amazon I have already filed, but you can pass the information. I am afraid to say that dynamodb_local fails at the basic security checks, which is to keep packages up to date with latest security releases.
Additionally, there are problems with python packaces in localstack docker image itself:
- /opt/code/localstack/.venv/lib/python3.11/site/packages/amazon_klcpy/jars/logback-core-1.3.12.jar CVE-2023-6481 severity 7.5
- /usr/local/lib/node_modules/npm/node_modules/cross-spawn CVE-2024-21538 severity 7.5
- /usr/local/lib/python3.11/site-packages/pkg_resources CVE-2024-6345 severity 8.8
- plus others medium/low known CVE
For security standards, both AWS official dynamodb_local and localstack docker image fail at security check for well known vulnerabilities with high CVE score. Do you want to track those vulnerabilities here or need other tickets?
Thanks
I updated the vulnerability report to Amazon. I will create a separate ticket for localstack specific vulnerabilities included docker image. As it is, localstack will never pass any security scan for larger organizations.