log4j-detector icon indicating copy to clipboard operation
log4j-detector copied to clipboard

Published 20 hours ago verified publisher icon mergebase

Detection of potentially safe log4j 1.x after manual mitigation

Open litew opened this issue 3 years ago • 1 comments

Version of log4j_detector: log4j-detector-2021.12.20.jar

Hello, currently log4j-detector logs following lines after finding log4j 1.x files:

$ sha256sum ./log4j-1.1.3.jar
635d4be0003f9b24f560a7835db59fef04d1102bac75824c5f1c6ae48aa626a9  ./log4j-1.1.3.jar

$ java -jar ./log4j-detector-2021.12.20.jar ./log4j-1.1.3.jar
/home/litew/Downloads/log4j-1.1.3.jar contains Log4J-1.x   <= 1.2.17 _OLD_

According to https://logging.apache.org/log4j/2.x/security.html, "CVE-2021-44228: Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.":

Log4j 1.x mitigation Log4j 1.x does not have Lookups so the risk is lower. Applications using Log4j 1.x are only vulnerable to this attack when they use JNDI in their configuration. A separate CVE (CVE-2021-4104) has been filed for this vulnerability. To mitigate: Audit your logging configuration to ensure it has no JMSAppender configured. Log4j 1.x configurations without JMSAppender are not impacted by this vulnerability.

Mentioned CVE-2021-4104 has CVSS 8.1 HIGH score.

As https://access.redhat.com/security/cve/CVE-2021-4104 states - there is possibility to manually mitigate CVE-2021-4104 vulnerability by removing JMSAppender class from log4j 1.x jar with following command:

$ zip -q -d "/path/to/log4j-1x-file.jar" org/apache/log4j/net/JMSAppender.class

After doing this log4j_detector will still report this file as _OLD_:

$ sha256sum ./log4j-1.1.3.jar
b2fc57bc76999ee101036d3bea9993a07adbf79cb21804b5b79c733fbcb01578  ./log4j-1.1.3.jar

$ java -jar ./log4j-detector-2021.12.20.jar ./log4j-1.1.3.jar
/home/litew/Downloads/log4j-1.1.3.jar contains Log4J-1.x   <= 1.2.17 _OLD_

Could you please add option to report old log4j 1.x patched versions as potentially safe? Maybe add another status, such as _OLD_POTENTIALLY_SAFE or maybe _OLD_MANUAL_MITIGATION_APPLIED_.

litew avatar Dec 20 '21 22:12 litew

@litew I don't think "OLD" has anything to do with CVE-2021-4104. The last version of log4j 1.x was published in 2012: it's unmaintained and has a myriad of other critical vulnerabilities.

Personally, I think you're just as much at risk using logj 1.x regardless of whether you remove JMSAppender.

Edit: this is actually mentioned in the README.

You are safe from CVE-2021-44228, but should plan to upgrade because Log4J 1.2.x has been EOL for 7 years and has several known-vulnerabilities.

rgmz avatar Dec 21 '21 00:12 rgmz