YouCompleteMe icon indicating copy to clipboard operation
YouCompleteMe copied to clipboard

Published 20 hours ago verified publisher icon ycm-core

Log4j vulnerability via eclipse.jdt.ls

Open deisi opened this issue 2 years ago • 9 comments

Issue Prelude

Please complete these steps and check these boxes (by putting an x inside the brackets) before filing your issue:

  • [x] I have read and understood YCM's CONTRIBUTING document.
  • [x] I have read and understood YCM's CODE_OF_CONDUCT document.
  • [x] I have read and understood YCM's README, especially the Frequently Asked Questions section.
  • [x] I have searched YCM's issue tracker to find issues similar to the one I'm about to report and couldn't find an answer to my problem. (Example Google search.)
  • [x] I understand this is an open-source project staffed by volunteers and that any help I receive is a selfless, heartfelt gift of their free time. I know I am not entitled to anything and will be polite and courteous.
  • [x] I understand my issue may be closed if it becomes obvious I didn't actually perform all of these steps.

Thank you for adhering to this process! It ensures your issue is resolved quickly and that neither your nor our time is needlessly wasted.

Issue Details

Provide a clear description of the problem, including the following key questions:

  • What did you do?

nvim 5.0 windows, installed YCM with the suggested --all option

Include steps to reproduce here.

  1. Install YCM and run https://github.com/fox-it/log4j-finder the log4j finder
  • What did you expect to happen?

Having a secure and safe system

  • What actually happened?

log4j finder reports that

AppData\Local\nvim\pack\vendor\start\YouCompleteMe\third_party\ycmd\third_party\eclipse.jdt.ls\target\repository\plugins\org.apache.log4j_1.2.15.v201012070815.jar contains Log4J-1.x <= 1.2.17 OLD :-|

uses an old unpatched version of log4j.

Now I know this is basically a dependency issue, als the third party repository needs to be fixed, but following the by the project suggested installation instructions currently introduces this vulnerability into a system.

deisi avatar Dec 20 '21 09:12 deisi

Maybe I was a little quick on this one, Maybe the 1.2.17 version doesn't have this vulnerability. However I'm not sure.

deisi avatar Dec 20 '21 09:12 deisi

What specific attack vector are you concerned about ? I don't believe that 1.2.17 is easily exposed to the log4shell vulnerability, though it may well be riddled with other issues.

Nonetheless, YCM is not in control of the dependencies of third-party packages. You'll need to request any changes first from upstream https://github.com/eclipse/eclipse.jdt.ls

puremourning avatar Dec 20 '21 09:12 puremourning

actually I just noticed they removed log4j recently: https://github.com/eclipse/eclipse.jdt.ls/commit/d28e26ef5d618fd00e5f527ce128ba6369353879

and there's a 1.7.0 release that contains it. I think we can try to update eclipse.jdt.ls in ycm. Standby.

puremourning avatar Dec 20 '21 10:12 puremourning

Unfortunately,, the 1.7.0 version has a massive regression in signature help that breaks our tests.

Screenshot 2021-12-20 at 10 47 34

However, I think that jdt.ls doesn't actually use log4l so perhaps it's not really affected.

I have raised: https://github.com/eclipse/eclipse.jdt.ls/issues/1980

puremourning avatar Dec 20 '21 11:12 puremourning

I also have noticed this vulnerability. My employer has made a pretty big deal about this, and all the software devs have to scan their computers (and any other computers/servers they are responsible for) and fix any and all instances of this vulnerability (no exceptions). The YouCompleteMe plugin has this vulnerability, and so technically I have to uninstall YouCompleteMe since updating to the latest version doesn't seem remediate the problem.

fjelliott avatar Jan 04 '22 20:01 fjelliott

As I have explained above, there is no vulnerability via YCM as eclipse.jdt.ls doesn't actually use it. Further, YCM you don't even have to use the java support (don't pass --java-competer when installing YCM) which means no vulnerability.

As I have also made clear above, we can't upgrade jdt.ls at the moment because later versions are broken.

puremourning avatar Jan 04 '22 20:01 puremourning

Unfortunately, as long as the old version of the log4j package shows up in the scan tool, it's a problem. It's a company politics thing, and the IT Information Security department is one of the most stubborn departments in the company in my experience. Therefore, as long as the scan tool complains I don't have many options. Can I remove the eclipse.jdt.ls submodule from the YCM source tree entirely without affecting anything?

fjelliott avatar Jan 04 '22 20:01 fjelliott

I just noticed that if I reclone the YouCompleteMe repository and then run install.py without the --java-completer flag that dependency won't be checked out. This is good enough for me since the forbidden library can't be found on my system. I don't really program with Java anyway.

fjelliott avatar Jan 04 '22 20:01 fjelliott

It seems to upstream regression blocking this is fixed, but no release has been made containing it yet. https://github.com/eclipse/eclipse.jdt.ls/pull/2014

puremourning avatar Mar 13 '22 19:03 puremourning